Add PKCS8 Support #209
Add PKCS8 Support #209
Conversation
| let pkey = PKey::private_key_from_pem(key)?; | ||
| let mut cert_chain = X509::stack_from_pem(buf)?.into_iter(); | ||
| let cert = cert_chain.next(); | ||
| let chain = cert_chain.collect(); |
There was a problem hiding this comment.
Isn't this collecting a vec directly back into a vec?
There was a problem hiding this comment.
It's collecting the rest of the chain after taking the first.
| @@ -258,7 +270,10 @@ impl TlsConnector { | |||
| if let Some(ref identity) = builder.identity { | |||
| connector.set_certificate(&identity.0.cert)?; | |||
| connector.set_private_key(&identity.0.pkey)?; | |||
| for cert in identity.0.chain.iter().rev() { | |||
| for cert in identity.0.chain.iter() { | |||
There was a problem hiding this comment.
Why is this order being reversed?
There was a problem hiding this comment.
I don't know the details. Previous discussion: #147 (comment)
There was a problem hiding this comment.
In 05fb5e5 you wrote:
Reverse chain loading for openssl
The stack is the reverse of what you might expect due to the way
PKCS12_parse is implemented, so we need to load it backwards.
Closes #110
If PKCS12_parse is the cause, maybe it's better to reverse the chain in from_pkcs12?
rust-native-tls/src/imp/openssl.rs
Line 161 in 82ae9a3
|
@sfackler Please approve running workflows. |
|
Here's a patch to fix the macOS build: diff --git a/src/imp/security_framework.rs b/src/imp/security_framework.rs
index ca86cd5..f133903 100644
--- a/src/imp/security_framework.rs
+++ b/src/imp/security_framework.rs
@@ -423,6 +423,7 @@ impl<S: io::Read + io::Write> TlsStream<S> {
Ok(self.stream.context().buffered_read_size()?)
}
+ #[allow(deprecated)]
pub fn peer_certificate(&self) -> Result<Option<Certificate>, Error> {
let trust = match self.stream.context().peer_trust2()? {
Some(trust) => trust,
diff --git a/src/test.rs b/src/test.rs
index 897bb85..5fe8151 100644
--- a/src/test.rs
+++ b/src/test.rs
@@ -186,7 +186,10 @@ fn peer_certificate() {
let socket = p!(builder.connect("localhost", socket));
let cert = socket.peer_certificate().unwrap().unwrap();
- assert_eq!(cert.to_der().unwrap(), keys.client.ca.get_der());
+ assert_eq!(
+ cert.to_der().unwrap(),
+ keys.server.cert_and_key.cert.get_der()
+ );
p!(j.join());
} |
|
I will have to fix the OpenSSL issue tomorrow. |
|
Linux tests should be fixed if you merge in master. |
|
Keys are generated by |
The function should probably be renamed.
|
|
I don't understand what you mean by this. |
|
Just to be clear, only accepting PKCS#8 is fine if that's what is best for If we're going strict, we'll need to reject keys in
If
If |
|
I would be more than happy to also support PKCS1 (if for no other reason than to avoid all of the support issues from people with the wrong encoding :D), but whatever is implemented does definitely need to be consistent across the backends, either supporting or not supporting a format. |
|
Oh wow... thank you all for the flurry of comments and commits! While I'm mainly looking for PKCS 8 support (since in my case, I can require that the private keys are in PKCS 8 form), I agree with @kazk and @sfackler that if we are to limit the key format to PKCS 8, we need to do so consistently across all backends, and if we are to support something, all three backends should support it. (I'd also add that if we want to make a generic function that accepts keys of different formats (PKCS 1, PKCS 8, SEC 1, etc.), it shouldn't be named And again, do let me know if there's anything I can do to help! |
|
I'll change to only support PKCS#8 format by rejecting anything else. I don't have a macOS/Windows machine to work on adding and testing other formats. Also, I found a way to convert PKCS#1 and SEC1 to PKCS#8 in pure Rust that might be good enough for my use case (started topk8). I tried using topk8 to test Windows after converting PKCS#1 to PKCS#8, and it seems to work. But
Not sure what's wrong because EDIT: Moved the task list to PR body |
|
@sfackler I need you to approve running workflows again. I tested on my fork, and all tests should pass. |
| fn gen_container_name() -> String { | ||
| use std::sync::atomic::{AtomicUsize, Ordering}; | ||
| static COUNTER: AtomicUsize = AtomicUsize::new(0); | ||
| format!("native-tls-{}", COUNTER.fetch_add(1, Ordering::Relaxed)) |
There was a problem hiding this comment.
two_servers test fails without this.
|
I have no experience with MacOS programming, and I see the P12 code also does this, but is there really no way to import key material without involving the filesystem? |
|
Yeah, unless things have changed since last time I looked into this, you can only get a SecIdentify out of a keychain, and keychains have to live on the filesystem. |
|
What needs to be done before merge? |
Squashed and rebased #147, then updated the tests to use
test-cert-genlike the other tests.Closes #27
opensslandsecurity_framework. Done by simply checking the start of the key.from_pkcs8tests to use PKCS#8 keys.test_cert_gendoesn't support it, so generated RSA keys are converted usingopenssl pkcs8 -topk8 -nocrypt.two_serverstest. Fixed by using unique container names.