From 3b79c62b0ddde5ed1aab5653fb008665c8e56aa1 Mon Sep 17 00:00:00 2001 From: Georg Weisert Date: Thu, 15 Feb 2024 11:28:02 +0100 Subject: [PATCH 01/24] add two additional constructors for Asn1Time --- openssl/src/asn1.rs | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/openssl/src/asn1.rs b/openssl/src/asn1.rs index 8618be0e92..648755ff97 100644 --- a/openssl/src/asn1.rs +++ b/openssl/src/asn1.rs @@ -320,11 +320,21 @@ impl Asn1Time { } } + /// Creates a new time with the current time + pub fn now() -> Result { + Asn1Time::from_period(0) + } + /// Creates a new time on specified interval in days from now pub fn days_from_now(days: u32) -> Result { Asn1Time::from_period(days as c_long * 60 * 60 * 24) } + /// Creates a new time on specified interval in seconds from now + pub fn seconds_from_now(seconds: i64) -> Result { + Self::from_period(seconds) + } + /// Creates a new time from the specified `time_t` value #[corresponds(ASN1_TIME_set)] pub fn from_unix(time: time_t) -> Result { From 834e375d48d01fe0fc98d3ed99a74c133cb6d2d3 Mon Sep 17 00:00:00 2001 From: Georg Weisert Date: Thu, 15 Feb 2024 11:41:41 +0100 Subject: [PATCH 02/24] extend X509Crl with revoke and sign capabilities --- openssl/src/x509/mod.rs | 86 ++++++++++++++++++++++++++++++++++++++- openssl/src/x509/tests.rs | 62 ++++++++++++++++++++++++++++ 2 files changed, 147 insertions(+), 1 deletion(-) diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 52ad4af8c7..f1027551dc 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -25,7 +25,7 @@ use std::str; use crate::asn1::{ Asn1BitStringRef, Asn1Enumerated, Asn1IntegerRef, Asn1Object, Asn1ObjectRef, - Asn1OctetStringRef, Asn1StringRef, Asn1TimeRef, Asn1Type, + Asn1OctetStringRef, Asn1StringRef, Asn1Time, Asn1TimeRef, Asn1Type, }; use crate::bio::MemBioSlice; use crate::conf::ConfRef; @@ -1652,6 +1652,26 @@ impl X509Revoked { X509Revoked, ffi::d2i_X509_REVOKED } + + pub fn new(to_revoke: &X509) -> Result { + unsafe { Ok(Self(Self::new_raw(to_revoke)?)) } + } + + /// the caller has to ensure the pointer is freed + unsafe fn new_raw(to_revoke: &X509) -> Result<*mut ffi::X509_REVOKED, ErrorStack> { + let result = cvt_p(ffi::X509_REVOKED_new())?; + + cvt(ffi::X509_REVOKED_set_serialNumber( + result, + to_revoke.serial_number().as_ptr(), + ))?; + cvt(ffi::X509_REVOKED_set_revocationDate( + result, + crate::asn1::Asn1Time::now()?.as_ptr(), + ))?; + + Ok(result) + } } impl X509RevokedRef { @@ -1827,6 +1847,70 @@ impl X509Crl { X509Crl, ffi::d2i_X509_CRL } + + pub fn new(issuer_cert: &X509) -> Result { + unsafe { + let crl = cvt_p(ffi::X509_CRL_new())?; + cvt(ffi::X509_CRL_set_version(crl, issuer_cert.version() as i64))?; + cvt(ffi::X509_CRL_set_issuer_name( + crl, + issuer_cert.issuer_name().as_ptr(), + ))?; + cvt(ffi::X509_CRL_set1_lastUpdate( + crl, + Asn1Time::now()?.as_ptr(), + ))?; + + Ok(Self(crl)) + } + } + + // Note: u32 seconds is more than enough for this + pub fn set_next_update_from_now(&mut self, seconds_from_now: u32) -> Result<(), ErrorStack> { + unsafe { + cvt(ffi::X509_CRL_set1_nextUpdate( + self.as_ptr(), + Asn1Time::seconds_from_now(seconds_from_now.into())?.as_ptr(), + )) + .map(|_| ()) + } + } + + pub fn entry_count(&mut self) -> usize { + self.get_revoked() + .map(|stack| stack.len()) + .unwrap_or_default() + } + + pub fn sign(&mut self, key: &PKeyRef, hash: MessageDigest) -> Result<(), ErrorStack> + where + T: HasPrivate, + { + unsafe { + cvt(ffi::X509_CRL_sign( + self.as_ptr(), + key.as_ptr(), + hash.as_ptr(), + )) + .map(|_| ()) + } + } + + pub fn revoke(&mut self, to_revoke: &X509) -> Result<(), ErrorStack> { + match self.get_by_cert(to_revoke) { + CrlStatus::NotRevoked => unsafe { + // we are not allowed to drop the revoked after adding it to the crl + let revoked = X509Revoked::new_raw(to_revoke)?; + if ffi::X509_CRL_add0_revoked(self.as_ptr(), revoked) == 0 { + return Err(ErrorStack::get()); + }; + }, + + _ => { /* do nothing, already revoked */ } + } + + Ok(()) + } } impl X509CrlRef { diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index ae61a2ad34..81c9725d1b 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -696,6 +696,68 @@ fn test_load_crl() { ); } +#[test] +fn test_crl_sign() { + let ca = include_bytes!("../../test/crl-ca.crt"); + let ca = X509::from_pem(ca).unwrap(); + let pkey = include_bytes!("../../test/rsa.pem"); + let pkey = PKey::private_key_from_pem(pkey).unwrap(); + + let mut crl = X509Crl::new(&ca).unwrap(); + crl.sign(&pkey, MessageDigest::sha256()).unwrap(); + assert!(crl.verify(&pkey).unwrap()); +} + +#[test] +fn test_crl_revoke() { + let ca = include_bytes!("../../test/crl-ca.crt"); + let ca = X509::from_pem(ca).unwrap(); + + let crl = include_bytes!("../../test/test.crl"); + let mut crl = X509Crl::from_der(crl).unwrap(); + assert!(crl.verify(&ca.public_key().unwrap()).unwrap()); + + // ensure revoking an already revoked cert does not do anything + { + let already_revoked_cert = include_bytes!("../../test/subca.crt"); + let already_revoked_cert = X509::from_pem(already_revoked_cert).unwrap(); + + let count_before = crl.entry_count(); + crl.revoke(&already_revoked_cert).unwrap(); + assert_eq!( + count_before, + crl.entry_count(), + "clr's entry count should not change when trying to revoke an already revoked cert" + ); + + assert!(crl.verify(&ca.public_key().unwrap()).unwrap()); + let revoked = match crl.get_by_cert(&already_revoked_cert) { + CrlStatus::Revoked(revoked) => revoked, + _ => panic!("cert should be revoked"), + }; + + assert_eq!( + revoked.serial_number().to_bn().unwrap(), + already_revoked_cert.serial_number().to_bn().unwrap(), + "revoked and cert serial numbers should match" + ); + } + + // ensure revoke does correctly add a new revoked cert to the crl + { + let cert = include_bytes!("../../test/cert.pem"); + let cert = X509::from_pem(cert).unwrap(); + + let count_before = crl.entry_count(); + crl.revoke(&cert).unwrap(); + assert_eq!( + count_before + 1, + crl.entry_count(), + "clr's entry count should have incremented by one after revoking a cert" + ); + } +} + #[test] fn test_crl_entry_extensions() { let crl = include_bytes!("../../test/entry_extensions.crl"); From e2756d312be50e8094764655bc359fcde629760b Mon Sep 17 00:00:00 2001 From: Georg Weisert Date: Sat, 17 Feb 2024 09:10:07 +0100 Subject: [PATCH 03/24] add binding for ASN1_INTEGER_new --- openssl-sys/src/handwritten/asn1.rs | 1 + 1 file changed, 1 insertion(+) diff --git a/openssl-sys/src/handwritten/asn1.rs b/openssl-sys/src/handwritten/asn1.rs index 16ffcccfe7..a61c6b185b 100644 --- a/openssl-sys/src/handwritten/asn1.rs +++ b/openssl-sys/src/handwritten/asn1.rs @@ -79,6 +79,7 @@ extern "C" { pub fn ASN1_TIME_print(b: *mut BIO, tm: *const ASN1_TIME) -> c_int; pub fn ASN1_TIME_set(from: *mut ASN1_TIME, to: time_t) -> *mut ASN1_TIME; + pub fn ASN1_INTEGER_new() -> *mut ASN1_INTEGER; pub fn ASN1_INTEGER_free(x: *mut ASN1_INTEGER); pub fn ASN1_INTEGER_dup(a: *const ASN1_INTEGER) -> *mut ASN1_INTEGER; pub fn ASN1_INTEGER_get(dest: *const ASN1_INTEGER) -> c_long; From 235f8b1798263b36c04dffd9de88dc88158382bd Mon Sep 17 00:00:00 2001 From: Georg Weisert Date: Sat, 17 Feb 2024 09:23:49 +0100 Subject: [PATCH 04/24] add crl method to set last updated time --- openssl/src/x509/mod.rs | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index f1027551dc..0ce195d945 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -1865,7 +1865,13 @@ impl X509Crl { } } - // Note: u32 seconds is more than enough for this + /// use a negative value to set a time before 'now' + pub fn set_last_update(&mut self, seconds_from_now: Option) -> Result<(), ErrorStack> { + let time = Asn1Time::seconds_from_now(seconds_from_now.unwrap_or(0) as i64)?; + unsafe { cvt(ffi::X509_CRL_set1_lastUpdate(self.as_ptr(), time.as_ptr())).map(|_| ()) } + } + + // Note: u32 seconds is more than enough for this; pub fn set_next_update_from_now(&mut self, seconds_from_now: u32) -> Result<(), ErrorStack> { unsafe { cvt(ffi::X509_CRL_set1_nextUpdate( From 84f5937b8ea7529b72262fa05171de1eec1c17c4 Mon Sep 17 00:00:00 2001 From: Georg Weisert Date: Sat, 17 Feb 2024 09:25:30 +0100 Subject: [PATCH 05/24] extend crl's revoke method to update last_update time and add doc comment for it --- openssl/src/x509/mod.rs | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 0ce195d945..5089c16eea 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -1902,6 +1902,9 @@ impl X509Crl { } } + /// Revoke the given certificate. + /// This function won't produce duplicate entries in case the certificate was already revoked. + /// Sets the CRL's last_updated time to the current time before returning irregardless of the given certificate. pub fn revoke(&mut self, to_revoke: &X509) -> Result<(), ErrorStack> { match self.get_by_cert(to_revoke) { CrlStatus::NotRevoked => unsafe { @@ -1915,7 +1918,7 @@ impl X509Crl { _ => { /* do nothing, already revoked */ } } - Ok(()) + self.set_last_update(Some(0)) } } From bf4c7e174f09a73e33f46955dbdd11c693ee8c62 Mon Sep 17 00:00:00 2001 From: Georg Weisert Date: Sat, 17 Feb 2024 09:25:50 +0100 Subject: [PATCH 06/24] add support for crl's crl_number extension --- openssl/src/x509/mod.rs | 47 ++++++++++++++++++++++++++++++++++++++++- 1 file changed, 46 insertions(+), 1 deletion(-) diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 5089c16eea..3504b7b3cc 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -24,7 +24,7 @@ use std::slice; use std::str; use crate::asn1::{ - Asn1BitStringRef, Asn1Enumerated, Asn1IntegerRef, Asn1Object, Asn1ObjectRef, + Asn1BitStringRef, Asn1Enumerated, Asn1Integer, Asn1IntegerRef, Asn1Object, Asn1ObjectRef, Asn1OctetStringRef, Asn1StringRef, Asn1Time, Asn1TimeRef, Asn1Type, }; use crate::bio::MemBioSlice; @@ -1902,6 +1902,51 @@ impl X509Crl { } } + /// Read the value of the crl_number extensions. + /// Returns None if the extension is not present. + pub fn read_crl_number(&self) -> Result, ErrorStack> { + unsafe { + let mut crit = 0; + let number = Asn1Integer::from_ptr_opt(std::mem::transmute(ffi::X509_CRL_get_ext_d2i( + self.as_ptr(), + ffi::NID_crl_number, + &mut crit, + std::ptr::null_mut(), + ))); + match number { + None => { + if crit == -1 { + // extension was not found + Ok(None) + } else { + Err(ErrorStack::get()) + } + } + + Some(number) => Ok(Some(ffi::ASN1_INTEGER_get(number.as_ptr()))), + } + } + } + + /// Set the crl_number extension's value. + /// If the extension is not present, it will be added. + pub fn set_crl_number(&mut self, value: i64) -> Result<(), ErrorStack> { + unsafe { + let number = ffi::ASN1_INTEGER_new(); + let number = Asn1Integer::from_ptr(number); + cvt(ffi::ASN1_INTEGER_set(number.as_ptr(), value))?; + + cvt(ffi::X509_CRL_add1_ext_i2d( + self.as_ptr(), + ffi::NID_crl_number, + std::mem::transmute(number.as_ptr()), + 0, + ffi::X509V3_ADD_REPLACE, + )) + .map(|_| ()) + } + } + /// Revoke the given certificate. /// This function won't produce duplicate entries in case the certificate was already revoked. /// Sets the CRL's last_updated time to the current time before returning irregardless of the given certificate. From 45534ac0c3bddfb0a2c30197941ac69e016d2806 Mon Sep 17 00:00:00 2001 From: Georg Weisert Date: Sat, 17 Feb 2024 10:16:55 +0100 Subject: [PATCH 07/24] use bignum for crl_number extension related functions --- openssl/src/x509/mod.rs | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 3504b7b3cc..5cc9039fc9 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -28,6 +28,7 @@ use crate::asn1::{ Asn1OctetStringRef, Asn1StringRef, Asn1Time, Asn1TimeRef, Asn1Type, }; use crate::bio::MemBioSlice; +use crate::bn::BigNum; use crate::conf::ConfRef; use crate::error::ErrorStack; use crate::ex_data::Index; @@ -1904,7 +1905,7 @@ impl X509Crl { /// Read the value of the crl_number extensions. /// Returns None if the extension is not present. - pub fn read_crl_number(&self) -> Result, ErrorStack> { + pub fn read_crl_number(&self) -> Result, ErrorStack> { unsafe { let mut crit = 0; let number = Asn1Integer::from_ptr_opt(std::mem::transmute(ffi::X509_CRL_get_ext_d2i( @@ -1923,23 +1924,20 @@ impl X509Crl { } } - Some(number) => Ok(Some(ffi::ASN1_INTEGER_get(number.as_ptr()))), + Some(number) => Ok(Some(number.to_bn()?)), } } } /// Set the crl_number extension's value. /// If the extension is not present, it will be added. - pub fn set_crl_number(&mut self, value: i64) -> Result<(), ErrorStack> { + pub fn set_crl_number(&mut self, value: &BigNum) -> Result<(), ErrorStack> { unsafe { - let number = ffi::ASN1_INTEGER_new(); - let number = Asn1Integer::from_ptr(number); - cvt(ffi::ASN1_INTEGER_set(number.as_ptr(), value))?; - + let value = Asn1Integer::from_bn(value)?; cvt(ffi::X509_CRL_add1_ext_i2d( self.as_ptr(), ffi::NID_crl_number, - std::mem::transmute(number.as_ptr()), + std::mem::transmute(value.as_ptr()), 0, ffi::X509V3_ADD_REPLACE, )) From 57e376a0db45e13d017966d97ec32d4f4e6fdca1 Mon Sep 17 00:00:00 2001 From: Georg Weisert Date: Sat, 17 Feb 2024 10:26:49 +0100 Subject: [PATCH 08/24] fix crl_revoke test --- openssl/src/x509/tests.rs | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index 81c9725d1b..63cbc2fb54 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -717,7 +717,7 @@ fn test_crl_revoke() { let mut crl = X509Crl::from_der(crl).unwrap(); assert!(crl.verify(&ca.public_key().unwrap()).unwrap()); - // ensure revoking an already revoked cert does not do anything + // ensure revoking an already revoked cert does not change the revoked count { let already_revoked_cert = include_bytes!("../../test/subca.crt"); let already_revoked_cert = X509::from_pem(already_revoked_cert).unwrap(); @@ -730,12 +730,10 @@ fn test_crl_revoke() { "clr's entry count should not change when trying to revoke an already revoked cert" ); - assert!(crl.verify(&ca.public_key().unwrap()).unwrap()); let revoked = match crl.get_by_cert(&already_revoked_cert) { CrlStatus::Revoked(revoked) => revoked, _ => panic!("cert should be revoked"), }; - assert_eq!( revoked.serial_number().to_bn().unwrap(), already_revoked_cert.serial_number().to_bn().unwrap(), From cd0bf42b96949b12ed008f0a39ab8ede6c913d36 Mon Sep 17 00:00:00 2001 From: Georg Weisert Date: Sat, 17 Feb 2024 10:34:04 +0100 Subject: [PATCH 09/24] fix c related integer issues --- openssl/src/asn1.rs | 2 +- openssl/src/x509/mod.rs | 12 ++++++++---- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/openssl/src/asn1.rs b/openssl/src/asn1.rs index 648755ff97..12e0e2839d 100644 --- a/openssl/src/asn1.rs +++ b/openssl/src/asn1.rs @@ -331,7 +331,7 @@ impl Asn1Time { } /// Creates a new time on specified interval in seconds from now - pub fn seconds_from_now(seconds: i64) -> Result { + pub fn seconds_from_now(seconds: c_long) -> Result { Self::from_period(seconds) } diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 5cc9039fc9..188a7e5be0 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -1852,7 +1852,10 @@ impl X509Crl { pub fn new(issuer_cert: &X509) -> Result { unsafe { let crl = cvt_p(ffi::X509_CRL_new())?; - cvt(ffi::X509_CRL_set_version(crl, issuer_cert.version() as i64))?; + cvt(ffi::X509_CRL_set_version( + crl, + issuer_cert.version() as c_long, + ))?; cvt(ffi::X509_CRL_set_issuer_name( crl, issuer_cert.issuer_name().as_ptr(), @@ -1868,7 +1871,7 @@ impl X509Crl { /// use a negative value to set a time before 'now' pub fn set_last_update(&mut self, seconds_from_now: Option) -> Result<(), ErrorStack> { - let time = Asn1Time::seconds_from_now(seconds_from_now.unwrap_or(0) as i64)?; + let time = Asn1Time::seconds_from_now(seconds_from_now.unwrap_or(0) as c_long)?; unsafe { cvt(ffi::X509_CRL_set1_lastUpdate(self.as_ptr(), time.as_ptr())).map(|_| ()) } } @@ -1877,7 +1880,7 @@ impl X509Crl { unsafe { cvt(ffi::X509_CRL_set1_nextUpdate( self.as_ptr(), - Asn1Time::seconds_from_now(seconds_from_now.into())?.as_ptr(), + Asn1Time::seconds_from_now(seconds_from_now as c_long)?.as_ptr(), )) .map(|_| ()) } @@ -1939,7 +1942,8 @@ impl X509Crl { ffi::NID_crl_number, std::mem::transmute(value.as_ptr()), 0, - ffi::X509V3_ADD_REPLACE, + #[allow(clippy::useless_conversion)] + ffi::X509V3_ADD_REPLACE.try_into().expect("This is an openssl flag and should therefore always fit into the expected integer type"), )) .map(|_| ()) } From b44bcc5fd1ea872f553e3149e4522bd736e70e43 Mon Sep 17 00:00:00 2001 From: Georg Weisert Date: Sat, 17 Feb 2024 10:53:16 +0100 Subject: [PATCH 10/24] fix incompatibilities with older openssl versions --- openssl/src/x509/mod.rs | 65 +++++++++++++++++++++++++++++++---------- 1 file changed, 49 insertions(+), 16 deletions(-) diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 188a7e5be0..94a571be14 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -1852,18 +1852,25 @@ impl X509Crl { pub fn new(issuer_cert: &X509) -> Result { unsafe { let crl = cvt_p(ffi::X509_CRL_new())?; - cvt(ffi::X509_CRL_set_version( - crl, - issuer_cert.version() as c_long, - ))?; + #[cfg(ossl110)] + { + cvt(ffi::X509_CRL_set_version( + crl, + issuer_cert.version() as c_long, + ))?; + } cvt(ffi::X509_CRL_set_issuer_name( crl, issuer_cert.issuer_name().as_ptr(), ))?; - cvt(ffi::X509_CRL_set1_lastUpdate( - crl, - Asn1Time::now()?.as_ptr(), - ))?; + + cfg_if!( + if #[cfg(any(ossl110, libressl270))] { + cvt(ffi::X509_CRL_set1_lastUpdate(crl, Asn1Time::now()?.as_ptr())).map(|_| ())? + } else { + cvt(ffi::X509_CRL_set_lastUpdate(crl, Asn1Time::now()?.as_ptr())).map(|_| ())? + } + ); Ok(Self(crl)) } @@ -1872,18 +1879,44 @@ impl X509Crl { /// use a negative value to set a time before 'now' pub fn set_last_update(&mut self, seconds_from_now: Option) -> Result<(), ErrorStack> { let time = Asn1Time::seconds_from_now(seconds_from_now.unwrap_or(0) as c_long)?; - unsafe { cvt(ffi::X509_CRL_set1_lastUpdate(self.as_ptr(), time.as_ptr())).map(|_| ()) } + cfg_if!( + if #[cfg(any(ossl110, libressl270))] { + unsafe { + cvt(ffi::X509_CRL_set1_lastUpdate(self.as_ptr(), time.as_ptr())).map(|_| ())? + }; + } else { + unsafe { + cvt(ffi::X509_CRL_set_lastUpdate(self.as_ptr(), time.as_ptr())).map(|_| ())? + }; + } + ); + + Ok(()) } // Note: u32 seconds is more than enough for this; pub fn set_next_update_from_now(&mut self, seconds_from_now: u32) -> Result<(), ErrorStack> { - unsafe { - cvt(ffi::X509_CRL_set1_nextUpdate( - self.as_ptr(), - Asn1Time::seconds_from_now(seconds_from_now as c_long)?.as_ptr(), - )) - .map(|_| ()) - } + cfg_if!( + if #[cfg(any(ossl110, libressl270))] { + unsafe { + cvt(ffi::X509_CRL_set1_nextUpdate( + self.as_ptr(), + Asn1Time::seconds_from_now(seconds_from_now as c_long)?.as_ptr(), + )) + .map(|_| ())?; + } + } else { + unsafe { + cvt(ffi::X509_CRL_set_nextUpdate( + self.as_ptr(), + Asn1Time::seconds_from_now(seconds_from_now as c_long)?.as_ptr(), + )) + .map(|_| ())?; + } + } + ); + + Ok(()) } pub fn entry_count(&mut self) -> usize { From 30f4f30801ebdb0c2f804ed398a69ac63d527291 Mon Sep 17 00:00:00 2001 From: Georg Weisert Date: Sat, 17 Feb 2024 11:24:16 +0100 Subject: [PATCH 11/24] fix X509Crl::new leaking the Crl if an error occurs between allocation and returning --- openssl/src/x509/mod.rs | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 94a571be14..c563c3d37e 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -1851,28 +1851,28 @@ impl X509Crl { pub fn new(issuer_cert: &X509) -> Result { unsafe { - let crl = cvt_p(ffi::X509_CRL_new())?; + let crl = Self(cvt_p(ffi::X509_CRL_new())?); #[cfg(ossl110)] { cvt(ffi::X509_CRL_set_version( - crl, + crl.as_ptr(), issuer_cert.version() as c_long, ))?; } cvt(ffi::X509_CRL_set_issuer_name( - crl, + crl.as_ptr(), issuer_cert.issuer_name().as_ptr(), ))?; cfg_if!( if #[cfg(any(ossl110, libressl270))] { - cvt(ffi::X509_CRL_set1_lastUpdate(crl, Asn1Time::now()?.as_ptr())).map(|_| ())? + cvt(ffi::X509_CRL_set1_lastUpdate(crl.as_ptr(), Asn1Time::now()?.as_ptr())).map(|_| ())? } else { - cvt(ffi::X509_CRL_set_lastUpdate(crl, Asn1Time::now()?.as_ptr())).map(|_| ())? + cvt(ffi::X509_CRL_set_lastUpdate(crl.as_ptr, Asn1Time::now()?.as_ptr())).map(|_| ())? } ); - Ok(Self(crl)) + Ok(crl) } } From f98474f24c64b65baa383932fcf23dc6fe56dac5 Mon Sep 17 00:00:00 2001 From: Georg Weisert Date: Sat, 17 Feb 2024 11:24:57 +0100 Subject: [PATCH 12/24] remove binding for ASN1_INTEGER_new, it is no longer used --- openssl-sys/src/handwritten/asn1.rs | 1 - 1 file changed, 1 deletion(-) diff --git a/openssl-sys/src/handwritten/asn1.rs b/openssl-sys/src/handwritten/asn1.rs index a61c6b185b..16ffcccfe7 100644 --- a/openssl-sys/src/handwritten/asn1.rs +++ b/openssl-sys/src/handwritten/asn1.rs @@ -79,7 +79,6 @@ extern "C" { pub fn ASN1_TIME_print(b: *mut BIO, tm: *const ASN1_TIME) -> c_int; pub fn ASN1_TIME_set(from: *mut ASN1_TIME, to: time_t) -> *mut ASN1_TIME; - pub fn ASN1_INTEGER_new() -> *mut ASN1_INTEGER; pub fn ASN1_INTEGER_free(x: *mut ASN1_INTEGER); pub fn ASN1_INTEGER_dup(a: *const ASN1_INTEGER) -> *mut ASN1_INTEGER; pub fn ASN1_INTEGER_get(dest: *const ASN1_INTEGER) -> c_long; From 62a449c056b583f70c174ee4c6d58525b82af754 Mon Sep 17 00:00:00 2001 From: Georg Weisert Date: Sat, 17 Feb 2024 11:28:39 +0100 Subject: [PATCH 13/24] fix typo --- openssl/src/x509/mod.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index c563c3d37e..ec66713e26 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -1868,7 +1868,7 @@ impl X509Crl { if #[cfg(any(ossl110, libressl270))] { cvt(ffi::X509_CRL_set1_lastUpdate(crl.as_ptr(), Asn1Time::now()?.as_ptr())).map(|_| ())? } else { - cvt(ffi::X509_CRL_set_lastUpdate(crl.as_ptr, Asn1Time::now()?.as_ptr())).map(|_| ())? + cvt(ffi::X509_CRL_set_lastUpdate(crl.as_ptr(), Asn1Time::now()?.as_ptr())).map(|_| ())? } ); From f738016988942c455dc60581d6d3965f28d0ddb0 Mon Sep 17 00:00:00 2001 From: Georg Weisert Date: Sat, 17 Feb 2024 11:36:29 +0100 Subject: [PATCH 14/24] boringssl compatibility --- openssl/src/x509/mod.rs | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index ec66713e26..2c2bc76f3c 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -1865,7 +1865,7 @@ impl X509Crl { ))?; cfg_if!( - if #[cfg(any(ossl110, libressl270))] { + if #[cfg(any(ossl110, libressl270, boringssl))] { cvt(ffi::X509_CRL_set1_lastUpdate(crl.as_ptr(), Asn1Time::now()?.as_ptr())).map(|_| ())? } else { cvt(ffi::X509_CRL_set_lastUpdate(crl.as_ptr(), Asn1Time::now()?.as_ptr())).map(|_| ())? @@ -1880,7 +1880,7 @@ impl X509Crl { pub fn set_last_update(&mut self, seconds_from_now: Option) -> Result<(), ErrorStack> { let time = Asn1Time::seconds_from_now(seconds_from_now.unwrap_or(0) as c_long)?; cfg_if!( - if #[cfg(any(ossl110, libressl270))] { + if #[cfg(any(ossl110, libressl270, boringssl))] { unsafe { cvt(ffi::X509_CRL_set1_lastUpdate(self.as_ptr(), time.as_ptr())).map(|_| ())? }; @@ -1897,7 +1897,7 @@ impl X509Crl { // Note: u32 seconds is more than enough for this; pub fn set_next_update_from_now(&mut self, seconds_from_now: u32) -> Result<(), ErrorStack> { cfg_if!( - if #[cfg(any(ossl110, libressl270))] { + if #[cfg(any(ossl110, libressl270, boringssl))] { unsafe { cvt(ffi::X509_CRL_set1_nextUpdate( self.as_ptr(), From 4213ae2d6a35dde07a66e164bb9676e2e4ec5bdb Mon Sep 17 00:00:00 2001 From: Georg Weisert Date: Sat, 17 Feb 2024 11:53:45 +0100 Subject: [PATCH 15/24] avoid unsigned to signed casting --- openssl/src/x509/mod.rs | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 2c2bc76f3c..06abf252bd 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -1894,8 +1894,7 @@ impl X509Crl { Ok(()) } - // Note: u32 seconds is more than enough for this; - pub fn set_next_update_from_now(&mut self, seconds_from_now: u32) -> Result<(), ErrorStack> { + pub fn set_next_update_from_now(&mut self, seconds_from_now: i32) -> Result<(), ErrorStack> { cfg_if!( if #[cfg(any(ossl110, libressl270, boringssl))] { unsafe { From d7a8f3f342cebaee3aa7cee8c7d4084507114b20 Mon Sep 17 00:00:00 2001 From: Georg Weisert Date: Sat, 17 Feb 2024 12:02:08 +0100 Subject: [PATCH 16/24] fix potential memory leak in X509Revoked::new_raw --- openssl/src/x509/mod.rs | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 06abf252bd..fea858d885 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -1662,14 +1662,15 @@ impl X509Revoked { unsafe fn new_raw(to_revoke: &X509) -> Result<*mut ffi::X509_REVOKED, ErrorStack> { let result = cvt_p(ffi::X509_REVOKED_new())?; - cvt(ffi::X509_REVOKED_set_serialNumber( - result, - to_revoke.serial_number().as_ptr(), - ))?; - cvt(ffi::X509_REVOKED_set_revocationDate( - result, - crate::asn1::Asn1Time::now()?.as_ptr(), - ))?; + if ffi::X509_REVOKED_set_serialNumber(result, to_revoke.serial_number().as_ptr()) <= 0 { + ffi::X509_REVOKED_free(result); + return Err(ErrorStack::get()); + } + if ffi::X509_REVOKED_set_revocationDate(result, crate::asn1::Asn1Time::now()?.as_ptr()) <= 0 + { + ffi::X509_REVOKED_free(result); + return Err(ErrorStack::get()); + } Ok(result) } From 75397e83ed326de782ec1c602466585a88d3e8f7 Mon Sep 17 00:00:00 2001 From: Georg Weisert Date: Thu, 29 Feb 2024 08:29:41 +0100 Subject: [PATCH 17/24] use seconds_from_now instead of from_period in asn1 time methods --- openssl/src/asn1.rs | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/openssl/src/asn1.rs b/openssl/src/asn1.rs index 12e0e2839d..9b8dad7fe7 100644 --- a/openssl/src/asn1.rs +++ b/openssl/src/asn1.rs @@ -322,17 +322,17 @@ impl Asn1Time { /// Creates a new time with the current time pub fn now() -> Result { - Asn1Time::from_period(0) + Asn1Time::seconds_from_now(0) } /// Creates a new time on specified interval in days from now pub fn days_from_now(days: u32) -> Result { - Asn1Time::from_period(days as c_long * 60 * 60 * 24) + Asn1Time::seconds_from_now(days as c_long * 60 * 60 * 24) } /// Creates a new time on specified interval in seconds from now pub fn seconds_from_now(seconds: c_long) -> Result { - Self::from_period(seconds) + Asn1Time::from_period(seconds) } /// Creates a new time from the specified `time_t` value From 41fd2a458e6a34f8554a4ee856331f9aec4f46ce Mon Sep 17 00:00:00 2001 From: Georg Weisert Date: Sun, 3 Mar 2024 11:49:50 +0100 Subject: [PATCH 18/24] add binding for X509_CRL_get_version --- openssl-sys/src/handwritten/x509.rs | 1 + 1 file changed, 1 insertion(+) diff --git a/openssl-sys/src/handwritten/x509.rs b/openssl-sys/src/handwritten/x509.rs index 7642dcd3b9..07f957ab89 100644 --- a/openssl-sys/src/handwritten/x509.rs +++ b/openssl-sys/src/handwritten/x509.rs @@ -449,6 +449,7 @@ extern "C" { #[cfg(ossl110)] pub fn X509_get0_extensions(req: *const X509) -> *const stack_st_X509_EXTENSION; + pub fn X509_CRL_get_version(crl: *const X509_CRL) -> c_long; pub fn X509_CRL_set_version(crl: *mut X509_CRL, version: c_long) -> c_int; } const_ptr_api! { From a86bf408409507771bf8fbaa99ce203958a571b5 Mon Sep 17 00:00:00 2001 From: Georg Weisert Date: Sun, 3 Mar 2024 11:51:01 +0100 Subject: [PATCH 19/24] add method to retrieve a CRL's version --- openssl/src/x509/mod.rs | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 6dcbcfaee2..3286de8955 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -1895,6 +1895,10 @@ impl X509Crl { } } + pub fn version(&self) -> i32 { + unsafe { ffi::X509_CRL_get_version(self.as_ptr()) as i32 } + } + /// use a negative value to set a time before 'now' pub fn set_last_update(&mut self, seconds_from_now: Option) -> Result<(), ErrorStack> { let time = Asn1Time::seconds_from_now(seconds_from_now.unwrap_or(0) as c_long)?; From fc468e59bcba4519e1135ee2b0da7c6008deca97 Mon Sep 17 00:00:00 2001 From: Georg Weisert Date: Sun, 3 Mar 2024 11:53:31 +0100 Subject: [PATCH 20/24] rework X509Crl::new add optional config paramter; fix erroneous CRL version; add AuthorityKetIdenfier extension when building CRLv2; set_crl_number is now private; increment_crl_number is the new public interface, returning the new crl value, or None if self is a CRLv1; update tests using X509Crl::new --- openssl/src/x509/mod.rs | 73 +++++++++++++++++++++++++++++++++------ openssl/src/x509/tests.rs | 2 +- 2 files changed, 64 insertions(+), 11 deletions(-) diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 3286de8955..8344cbdb56 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -39,6 +39,7 @@ use crate::ssl::SslRef; use crate::stack::{Stack, StackRef, Stackable}; use crate::string::OpensslString; use crate::util::{ForeignTypeExt, ForeignTypeRefExt}; +use crate::x509::extension::AuthorityKeyIdentifier; use crate::{cvt, cvt_n, cvt_p, cvt_p_const}; use openssl_macros::corresponds; @@ -1868,20 +1869,50 @@ impl X509Crl { ffi::d2i_X509_CRL } - pub fn new(issuer_cert: &X509) -> Result { + const X509_VERSION_3: i32 = 2; + const X509_CRL_VERSION_2: i32 = 1; + + pub fn new(issuer_cert: &X509, conf: Option<&ConfRef>) -> Result { unsafe { let crl = Self(cvt_p(ffi::X509_CRL_new())?); - #[cfg(ossl110)] - { - cvt(ffi::X509_CRL_set_version( + + if issuer_cert.version() >= Self::X509_VERSION_3 { + #[cfg(any(ossl110, libressl251, boringssl))] + { + // "if present, MUST be v2" (source: RFC 5280, page 55) + cvt(ffi::X509_CRL_set_version( + crl.as_ptr(), + Self::X509_CRL_VERSION_2 as c_long, + ))?; + } + + cvt(ffi::X509_CRL_set_issuer_name( crl.as_ptr(), - issuer_cert.version() as c_long, + issuer_cert.issuer_name().as_ptr(), ))?; + + let context = { + let mut ctx = std::mem::MaybeUninit::::zeroed(); + ffi::X509V3_set_ctx( + ctx.as_mut_ptr(), + issuer_cert.as_ptr(), + std::ptr::null_mut(), + std::ptr::null_mut(), + crl.as_ptr(), + 0, + ); + let mut ctx = ctx.assume_init(); + + if let Some(conf) = conf { + ffi::X509V3_set_nconf(&mut ctx, conf.as_ptr()); + } + + X509v3Context(ctx, PhantomData) + }; + + let ext = AuthorityKeyIdentifier::new().keyid(true).build(&context)?; + cvt(ffi::X509_CRL_add_ext(crl.as_ptr(), ext.as_ptr(), -1))?; } - cvt(ffi::X509_CRL_set_issuer_name( - crl.as_ptr(), - issuer_cert.issuer_name().as_ptr(), - ))?; cfg_if!( if #[cfg(any(ossl110, libressl270, boringssl))] { @@ -1987,9 +2018,11 @@ impl X509Crl { } } + /// This is an internal function, therefore the caller is expected to ensure not to call this with a CRLv1 /// Set the crl_number extension's value. /// If the extension is not present, it will be added. - pub fn set_crl_number(&mut self, value: &BigNum) -> Result<(), ErrorStack> { + fn set_crl_number(&mut self, value: &BigNum) -> Result<(), ErrorStack> { + debug_assert_eq!(self.version(), Self::X509_CRL_VERSION_2); unsafe { let value = Asn1Integer::from_bn(value)?; cvt(ffi::X509_CRL_add1_ext_i2d( @@ -2004,6 +2037,26 @@ impl X509Crl { } } + /// Increment the crl number (or try to add the extension if not present) + /// + /// Returns the new crl number, unless self is a crlv1, which does not support extensions + pub fn increment_crl_number(&mut self) -> Result, ErrorStack> { + if self.version() == Self::X509_CRL_VERSION_2 { + let new_crl_number = if let Some(mut n) = self.read_crl_number()? { + n.add_word(1)?; + n + } else { + BigNum::from_u32(1)? + }; + + self.set_crl_number(&new_crl_number)?; + + Ok(Some(new_crl_number)) + } else { + Ok(None) + } + } + /// Revoke the given certificate. /// This function won't produce duplicate entries in case the certificate was already revoked. /// Sets the CRL's last_updated time to the current time before returning irregardless of the given certificate. diff --git a/openssl/src/x509/tests.rs b/openssl/src/x509/tests.rs index 63cbc2fb54..19abe2c932 100644 --- a/openssl/src/x509/tests.rs +++ b/openssl/src/x509/tests.rs @@ -703,7 +703,7 @@ fn test_crl_sign() { let pkey = include_bytes!("../../test/rsa.pem"); let pkey = PKey::private_key_from_pem(pkey).unwrap(); - let mut crl = X509Crl::new(&ca).unwrap(); + let mut crl = X509Crl::new(&ca, None).unwrap(); crl.sign(&pkey, MessageDigest::sha256()).unwrap(); assert!(crl.verify(&pkey).unwrap()); } From a53177ec19ea98b64f8eae5b8d625cc75a1bde39 Mon Sep 17 00:00:00 2001 From: Georg Weisert Date: Sun, 3 Mar 2024 12:18:23 +0100 Subject: [PATCH 21/24] add conditional compilation directives --- openssl-sys/src/handwritten/x509.rs | 2 ++ openssl/src/x509/mod.rs | 6 ++++++ 2 files changed, 8 insertions(+) diff --git a/openssl-sys/src/handwritten/x509.rs b/openssl-sys/src/handwritten/x509.rs index 07f957ab89..2c0dfca652 100644 --- a/openssl-sys/src/handwritten/x509.rs +++ b/openssl-sys/src/handwritten/x509.rs @@ -449,7 +449,9 @@ extern "C" { #[cfg(ossl110)] pub fn X509_get0_extensions(req: *const X509) -> *const stack_st_X509_EXTENSION; + #[cfg(ossl110)] pub fn X509_CRL_get_version(crl: *const X509_CRL) -> c_long; + pub fn X509_CRL_set_version(crl: *mut X509_CRL, version: c_long) -> c_int; } const_ptr_api! { diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 8344cbdb56..4576e02a2d 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -1876,6 +1876,7 @@ impl X509Crl { unsafe { let crl = Self(cvt_p(ffi::X509_CRL_new())?); + #[cfg(ossl110)] if issuer_cert.version() >= Self::X509_VERSION_3 { #[cfg(any(ossl110, libressl251, boringssl))] { @@ -1926,6 +1927,9 @@ impl X509Crl { } } + /// Note that `0` return value stands for version 1, `1` for version 2. + #[cfg(ossl110)] + #[corresponds(X509_CRL_get_version)] pub fn version(&self) -> i32 { unsafe { ffi::X509_CRL_get_version(self.as_ptr()) as i32 } } @@ -2021,6 +2025,7 @@ impl X509Crl { /// This is an internal function, therefore the caller is expected to ensure not to call this with a CRLv1 /// Set the crl_number extension's value. /// If the extension is not present, it will be added. + #[cfg(ossl110)] fn set_crl_number(&mut self, value: &BigNum) -> Result<(), ErrorStack> { debug_assert_eq!(self.version(), Self::X509_CRL_VERSION_2); unsafe { @@ -2040,6 +2045,7 @@ impl X509Crl { /// Increment the crl number (or try to add the extension if not present) /// /// Returns the new crl number, unless self is a crlv1, which does not support extensions + #[cfg(ossl110)] pub fn increment_crl_number(&mut self) -> Result, ErrorStack> { if self.version() == Self::X509_CRL_VERSION_2 { let new_crl_number = if let Some(mut n) = self.read_crl_number()? { From 3e4fbdb72c433b73385cd5b8764f0141cc932588 Mon Sep 17 00:00:00 2001 From: Georg Weisert Date: Sun, 3 Mar 2024 12:28:49 +0100 Subject: [PATCH 22/24] linting --- openssl/src/x509/mod.rs | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 4576e02a2d..ed67138eff 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -39,7 +39,6 @@ use crate::ssl::SslRef; use crate::stack::{Stack, StackRef, Stackable}; use crate::string::OpensslString; use crate::util::{ForeignTypeExt, ForeignTypeRefExt}; -use crate::x509::extension::AuthorityKeyIdentifier; use crate::{cvt, cvt_n, cvt_p, cvt_p_const}; use openssl_macros::corresponds; @@ -1869,15 +1868,21 @@ impl X509Crl { ffi::d2i_X509_CRL } + #[cfg(ossl110)] const X509_VERSION_3: i32 = 2; + #[cfg(ossl110)] const X509_CRL_VERSION_2: i32 = 1; + // if not cfg(ossl110) issuer_cert is unused + #[allow(unused_variables)] pub fn new(issuer_cert: &X509, conf: Option<&ConfRef>) -> Result { unsafe { let crl = Self(cvt_p(ffi::X509_CRL_new())?); #[cfg(ossl110)] if issuer_cert.version() >= Self::X509_VERSION_3 { + use crate::x509::extension::AuthorityKeyIdentifier; + #[cfg(any(ossl110, libressl251, boringssl))] { // "if present, MUST be v2" (source: RFC 5280, page 55) From 974a8d861f559f729a1d4059a18acbaf642845ba Mon Sep 17 00:00:00 2001 From: Georg Weisert Date: Sun, 3 Mar 2024 12:48:06 +0100 Subject: [PATCH 23/24] extend availability of X509_CRL_get_version and related function to libressl 2.8.1 --- openssl-sys/src/handwritten/x509.rs | 2 +- openssl/src/x509/mod.rs | 14 +++++++------- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/openssl-sys/src/handwritten/x509.rs b/openssl-sys/src/handwritten/x509.rs index 2c0dfca652..4ec019f399 100644 --- a/openssl-sys/src/handwritten/x509.rs +++ b/openssl-sys/src/handwritten/x509.rs @@ -449,7 +449,7 @@ extern "C" { #[cfg(ossl110)] pub fn X509_get0_extensions(req: *const X509) -> *const stack_st_X509_EXTENSION; - #[cfg(ossl110)] + #[cfg(any(ossl110, libressl281))] pub fn X509_CRL_get_version(crl: *const X509_CRL) -> c_long; pub fn X509_CRL_set_version(crl: *mut X509_CRL, version: c_long) -> c_int; diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index ed67138eff..09eb8c51a9 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -621,7 +621,7 @@ impl X509Ref { /// /// Note that `0` return value stands for version 1, `1` for version 2 and so on. #[corresponds(X509_get_version)] - #[cfg(ossl110)] + #[cfg(any(ossl110, libressl281))] #[allow(clippy::unnecessary_cast)] pub fn version(&self) -> i32 { unsafe { ffi::X509_get_version(self.as_ptr()) as i32 } @@ -1868,9 +1868,9 @@ impl X509Crl { ffi::d2i_X509_CRL } - #[cfg(ossl110)] + #[cfg(any(ossl110, libressl281))] const X509_VERSION_3: i32 = 2; - #[cfg(ossl110)] + #[cfg(any(ossl110, libressl281))] const X509_CRL_VERSION_2: i32 = 1; // if not cfg(ossl110) issuer_cert is unused @@ -1879,7 +1879,7 @@ impl X509Crl { unsafe { let crl = Self(cvt_p(ffi::X509_CRL_new())?); - #[cfg(ossl110)] + #[cfg(any(ossl110, libressl281))] if issuer_cert.version() >= Self::X509_VERSION_3 { use crate::x509::extension::AuthorityKeyIdentifier; @@ -1933,7 +1933,7 @@ impl X509Crl { } /// Note that `0` return value stands for version 1, `1` for version 2. - #[cfg(ossl110)] + #[cfg(any(ossl110, libressl281))] #[corresponds(X509_CRL_get_version)] pub fn version(&self) -> i32 { unsafe { ffi::X509_CRL_get_version(self.as_ptr()) as i32 } @@ -2030,7 +2030,7 @@ impl X509Crl { /// This is an internal function, therefore the caller is expected to ensure not to call this with a CRLv1 /// Set the crl_number extension's value. /// If the extension is not present, it will be added. - #[cfg(ossl110)] + #[cfg(any(ossl110, libressl281))] fn set_crl_number(&mut self, value: &BigNum) -> Result<(), ErrorStack> { debug_assert_eq!(self.version(), Self::X509_CRL_VERSION_2); unsafe { @@ -2050,7 +2050,7 @@ impl X509Crl { /// Increment the crl number (or try to add the extension if not present) /// /// Returns the new crl number, unless self is a crlv1, which does not support extensions - #[cfg(ossl110)] + #[cfg(any(ossl110, libressl281))] pub fn increment_crl_number(&mut self) -> Result, ErrorStack> { if self.version() == Self::X509_CRL_VERSION_2 { let new_crl_number = if let Some(mut n) = self.read_crl_number()? { From 812b73e01ffbcac6b7ba61fe801b2313269e5c7b Mon Sep 17 00:00:00 2001 From: Georg Weisert Date: Fri, 22 Mar 2024 12:14:50 +0100 Subject: [PATCH 24/24] use non-owning X509 where sensible --- openssl/src/x509/mod.rs | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs index 09eb8c51a9..5c95e5bba5 100644 --- a/openssl/src/x509/mod.rs +++ b/openssl/src/x509/mod.rs @@ -1672,12 +1672,12 @@ impl X509Revoked { ffi::d2i_X509_REVOKED } - pub fn new(to_revoke: &X509) -> Result { + pub fn new(to_revoke: &X509Ref) -> Result { unsafe { Ok(Self(Self::new_raw(to_revoke)?)) } } /// the caller has to ensure the pointer is freed - unsafe fn new_raw(to_revoke: &X509) -> Result<*mut ffi::X509_REVOKED, ErrorStack> { + unsafe fn new_raw(to_revoke: &X509Ref) -> Result<*mut ffi::X509_REVOKED, ErrorStack> { let result = cvt_p(ffi::X509_REVOKED_new())?; if ffi::X509_REVOKED_set_serialNumber(result, to_revoke.serial_number().as_ptr()) <= 0 { @@ -1875,7 +1875,7 @@ impl X509Crl { // if not cfg(ossl110) issuer_cert is unused #[allow(unused_variables)] - pub fn new(issuer_cert: &X509, conf: Option<&ConfRef>) -> Result { + pub fn new(issuer_cert: &X509Ref, conf: Option<&ConfRef>) -> Result { unsafe { let crl = Self(cvt_p(ffi::X509_CRL_new())?);