From 3539b1675e5926fc0bca1c4d12149569d874bc9e Mon Sep 17 00:00:00 2001 From: Anthony Ramine Date: Tue, 2 Jan 2024 15:33:52 +0100 Subject: [PATCH] Introduce X509Flags For now it has a single associated constant, X509Flags::TRUSTED_FIRST. --- boring/src/ssl/mod.rs | 7 +- boring/src/x509/mod.rs | 12 ++- boring/src/x509/store.rs | 21 +++++ boring/src/x509/tests/mod.rs | 2 + boring/src/x509/tests/trusted_first.rs | 104 +++++++++++++++++++++++++ boring/src/x509/verify.rs | 35 ++++++++- boring/test/root-ca-2.key | 27 +++++++ boring/test/root-ca-2.pem | 20 +++++ boring/test/root-ca-cross.pem | 21 +++++ 9 files changed, 246 insertions(+), 3 deletions(-) create mode 100644 boring/src/x509/tests/trusted_first.rs create mode 100644 boring/test/root-ca-2.key create mode 100644 boring/test/root-ca-2.pem create mode 100644 boring/test/root-ca-cross.pem diff --git a/boring/src/ssl/mod.rs b/boring/src/ssl/mod.rs index d7299f99..ead1e06b 100644 --- a/boring/src/ssl/mod.rs +++ b/boring/src/ssl/mod.rs @@ -3176,7 +3176,7 @@ impl SslRef { /// This corresponds to [`SSL_get0_param`]. /// /// [`SSL_get0_param`]: https://www.openssl.org/docs/man1.0.2/ssl/SSL_get0_param.html - pub fn param_mut(&mut self) -> &mut X509VerifyParamRef { + pub fn verify_param_mut(&mut self) -> &mut X509VerifyParamRef { #[cfg(feature = "rpk")] assert!( !self.ssl_context().is_rpk(), @@ -3186,6 +3186,11 @@ impl SslRef { unsafe { X509VerifyParamRef::from_ptr_mut(ffi::SSL_get0_param(self.as_ptr())) } } + /// See [`Self::verify_param_mut`]. + pub fn param_mut(&mut self) -> &mut X509VerifyParamRef { + self.verify_param_mut() + } + /// Returns the certificate verification result. /// /// This corresponds to [`SSL_get_verify_result`]. diff --git a/boring/src/x509/mod.rs b/boring/src/x509/mod.rs index 10ee1935..5140841b 100644 --- a/boring/src/x509/mod.rs +++ b/boring/src/x509/mod.rs @@ -7,7 +7,6 @@ //! Internet protocols, including SSL/TLS, which is the basis for HTTPS, //! the secure protocol for browsing the web. -use crate::ffi; use foreign_types::{ForeignType, ForeignTypeRef}; use libc::{c_int, c_long, c_void}; use std::convert::TryInto; @@ -30,12 +29,14 @@ use crate::bio::MemBioSlice; use crate::conf::ConfRef; use crate::error::ErrorStack; use crate::ex_data::Index; +use crate::ffi; use crate::hash::{DigestBytes, MessageDigest}; use crate::nid::Nid; use crate::pkey::{HasPrivate, HasPublic, PKey, PKeyRef, Public}; use crate::ssl::SslRef; use crate::stack::{Stack, StackRef, Stackable}; use crate::string::OpensslString; +use crate::x509::verify::X509VerifyParamRef; use crate::{cvt, cvt_n, cvt_p}; pub mod extension; @@ -147,6 +148,15 @@ impl X509StoreContextRef { } } + /// Returns a mutable reference to the X509 verification configuration. + /// + /// This corresponds to [`X509_STORE_CTX_get0_param`]. + /// + /// [`SSL_get0_param`]: https://www.openssl.org/docs/manmaster/man3/X509_STORE_CTX_get0_param.html + pub fn verify_param_mut(&mut self) -> &mut X509VerifyParamRef { + unsafe { X509VerifyParamRef::from_ptr_mut(ffi::X509_STORE_CTX_get0_param(self.as_ptr())) } + } + /// Verifies the stored certificate. /// /// Returns `true` if verification succeeds. The `error` method will return the specific diff --git a/boring/src/x509/store.rs b/boring/src/x509/store.rs index 885df975..ee3fb52f 100644 --- a/boring/src/x509/store.rs +++ b/boring/src/x509/store.rs @@ -43,6 +43,7 @@ use crate::error::ErrorStack; use crate::ffi; use crate::stack::StackRef; +use crate::x509::verify::{X509Flags, X509VerifyParamRef}; use crate::x509::{X509Object, X509}; use crate::{cvt, cvt_p}; use foreign_types::{ForeignType, ForeignTypeRef}; @@ -91,6 +92,26 @@ impl X509StoreBuilderRef { pub fn set_default_paths(&mut self) -> Result<(), ErrorStack> { unsafe { cvt(ffi::X509_STORE_set_default_paths(self.as_ptr())).map(|_| ()) } } + + /// Sets verify flags. + /// + /// This corresponds to [`X509_STORE_set_flags`]. + /// + /// [`X509_STORE_set_flags`]: https://www.openssl.org/docs/manmaster/man3/X509_STORE_set_flags.html + pub fn set_flags(&mut self, flags: X509Flags) { + unsafe { + ffi::X509_STORE_set_flags(self.as_ptr(), flags.bits()); + } + } + + /// Returns a mutable reference to the X509 verification configuration. + /// + /// This corresponds to [`X509_STORE_get0_param`]. + /// + /// [`SSL_get0_param`]: https://www.openssl.org/docs/manmaster/man3/X509_STORE_get0_param.html + pub fn verify_param_mut(&mut self) -> &mut X509VerifyParamRef { + unsafe { X509VerifyParamRef::from_ptr_mut(ffi::X509_STORE_get0_param(self.as_ptr())) } + } } foreign_type_and_impl_send_sync! { diff --git a/boring/src/x509/tests/mod.rs b/boring/src/x509/tests/mod.rs index a2a3f40c..8c4cfce5 100644 --- a/boring/src/x509/tests/mod.rs +++ b/boring/src/x509/tests/mod.rs @@ -14,6 +14,8 @@ use crate::x509::extension::{ use crate::x509::store::X509StoreBuilder; use crate::x509::{X509Extension, X509Name, X509Req, X509StoreContext, X509}; +mod trusted_first; + fn pkey() -> PKey { let rsa = Rsa::generate(2048).unwrap(); PKey::from_rsa(rsa).unwrap() diff --git a/boring/src/x509/tests/trusted_first.rs b/boring/src/x509/tests/trusted_first.rs new file mode 100644 index 00000000..179ab82b --- /dev/null +++ b/boring/src/x509/tests/trusted_first.rs @@ -0,0 +1,104 @@ +//! See https://github.com/google/boringssl/blob/cc696073cffe7978d489297fbdeac4c0030384aa/crypto/x509/x509_test.cc#L3977-L3980 + +use crate::stack::Stack; +use crate::x509::store::X509StoreBuilder; +use crate::x509::verify::{X509Flags, X509VerifyParamRef}; +use crate::x509::{X509Ref, X509StoreContext, X509VerifyError, X509VerifyResult, X509}; + +#[test] +fn test_verify_cert() { + let root2 = X509::from_pem(include_bytes!("../../../test/root-ca-2.pem")).unwrap(); + let root1 = X509::from_pem(include_bytes!("../../../test/root-ca.pem")).unwrap(); + let root1_cross = X509::from_pem(include_bytes!("../../../test/root-ca-cross.pem")).unwrap(); + let intermediate = X509::from_pem(include_bytes!("../../../test/intermediate-ca.pem")).unwrap(); + let leaf = X509::from_pem(include_bytes!("../../../test/cert.pem")).unwrap(); + + assert_eq!(Ok(()), verify(&leaf, &[&root1], &[&intermediate], |_| {})); + + #[cfg(not(feature = "fips"))] + assert_eq!( + Ok(()), + verify( + &leaf, + &[&root1, &root2], + &[&intermediate, &root1_cross], + |_| {} + ) + ); + + #[cfg(feature = "fips")] + assert_eq!( + Err(X509VerifyError::CERT_HAS_EXPIRED), + verify( + &leaf, + &[&root1, &root2], + &[&intermediate, &root1_cross], + |_| {} + ) + ); + + assert_eq!( + Ok(()), + verify( + &leaf, + &[&root1, &root2], + &[&intermediate, &root1_cross], + |param| param.set_flags(X509Flags::TRUSTED_FIRST), + ) + ); + + assert_eq!( + Err(X509VerifyError::CERT_HAS_EXPIRED), + verify( + &leaf, + &[&root1, &root2], + &[&intermediate, &root1_cross], + |param| param.clear_flags(X509Flags::TRUSTED_FIRST), + ) + ); + + assert_eq!( + Ok(()), + verify(&leaf, &[&root1], &[&intermediate, &root1_cross], |param| { + param.clear_flags(X509Flags::TRUSTED_FIRST) + },) + ); +} + +fn verify( + cert: &X509Ref, + trusted: &[&X509Ref], + untrusted: &[&X509Ref], + configure: impl FnOnce(&mut X509VerifyParamRef), +) -> X509VerifyResult { + let trusted = { + let mut builder = X509StoreBuilder::new().unwrap(); + + for cert in trusted { + builder.add_cert((**cert).to_owned()).unwrap(); + } + + builder.build() + }; + + let untrusted = { + let mut stack = Stack::new().unwrap(); + + for cert in untrusted { + stack.push((**cert).to_owned()).unwrap(); + } + + stack + }; + + let mut store_ctx = X509StoreContext::new().unwrap(); + + let _ = store_ctx.init(&trusted, cert, &untrusted, |ctx| { + configure(ctx.verify_param_mut()); + ctx.verify_cert().unwrap(); + + Ok(()) + }); + + store_ctx.verify_result() +} diff --git a/boring/src/x509/verify.rs b/boring/src/x509/verify.rs index 8bc17a58..c827642a 100644 --- a/boring/src/x509/verify.rs +++ b/boring/src/x509/verify.rs @@ -1,6 +1,6 @@ use crate::ffi; use foreign_types::ForeignTypeRef; -use libc::c_uint; +use libc::{c_uint, c_ulong}; use std::net::IpAddr; use crate::cvt; @@ -22,6 +22,14 @@ bitflags! { } } +bitflags! { + /// Flags used to check an `X509` certificate. + #[derive(Debug, PartialEq, Eq, Clone, Copy, PartialOrd, Ord, Hash)] + pub struct X509Flags: c_ulong { + const TRUSTED_FIRST = ffi::X509_V_FLAG_TRUSTED_FIRST as _; + } +} + foreign_type_and_impl_send_sync! { type CType = ffi::X509_VERIFY_PARAM; fn drop = ffi::X509_VERIFY_PARAM_free; @@ -31,6 +39,31 @@ foreign_type_and_impl_send_sync! { } impl X509VerifyParamRef { + /// Set flags. + /// + /// This corresponds to [`X509_VERIFY_PARAM_set_flags`]. + /// + /// [`X509_VERIFY_PARAM_set_flags`]: https://www.openssl.org/docs/man3.2/man3/X509_VERIFY_PARAM_set_flags.html + pub fn set_flags(&mut self, flags: X509Flags) { + unsafe { + ffi::X509_VERIFY_PARAM_set_flags(self.as_ptr(), flags.bits()); + } + } + + /// Clear flags. + /// + /// Useful to clear out default flags, such as `X509Flags::TRUSTED_FIRST` when the fips feature is off. + /// + /// This corresponds to [`X509_VERIFY_PARAM_clear_flags`]. + /// + /// [`X509_VERIFY_PARAM_set_flags`]: https://www.openssl.org/docs/man3.2/man3/X509_VERIFY_PARAM_set_flags.html + pub fn clear_flags(&mut self, flags: X509Flags) { + unsafe { + ffi::X509_VERIFY_PARAM_clear_flags(self.as_ptr(), flags.bits()); + } + } + + /// /// Set the host flags. /// /// This corresponds to [`X509_VERIFY_PARAM_set_hostflags`]. diff --git a/boring/test/root-ca-2.key b/boring/test/root-ca-2.key new file mode 100644 index 00000000..aab48239 --- /dev/null +++ b/boring/test/root-ca-2.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAwSgPW00nGOTje0FHm1HXT3ANHjW3HGPbxiMSRvSoBEdv8R9e +0PoKjse0xQsa5nKolbUhJBS6dkH+13VPOs6e+vZyXD6OYQfi2e42Mw0SPFl5g2qU +fy/17q3ipqPJnT6YHhGpx/P91F7yjDAF2MvNRGQ/6AYWD4MUr6+5vPHEYhQ/JlAK +cN/uWUM+bg2mwMNpmuGRV1tg0hKl9nT1fX1i6OSszPLIY1dC0eHv2gRh1unrXNoY +A76xohiwcJYAAPjrx167S8td8gmWnOwYnCnGIw2ceNpEQv4/bEvtKiLGOu4HUO/x +a7emy1QZgJth5TqQf0pwPEJC0mV5LFoXtlOpjwIDAQABAoIBAB3xBshhYlEikfy2 +NtJl0ll3BiGLtBHLjPLe1uN242CebkTTVxBP4jkVzfjJaucUGPvz8uoz6F+ShV2C +ysBT7SL79uhDrjBuV4TuvyoUuaHvQL3VVKWOmrHf9IVeWE9ut4fZtxbOxKcZ/MEs +ZIuhs/UJETr3To4jBJ7jP4iBda66LXeGDwnhia04zpFWwRRyRFvdVwTvMm9TN2GY +21J6rnc44bGQ/l0qsxSrv/OuW3ZmFNz85mRbuLswgawJgjMSlt1orLz5mdofDxlz +898nSrpJq/mAj8kgV+sH2jGv5FVZrv30W/0GlXObiJLhJiywYkpXbSn/H//w9+ij +ItQXjDECgYEA9RNootH8F0vuWVezKrt9ApE+8AzwltDgMlFc/HEjINnKFg7SWsSN +oinPVcQ07PS+2E7Fgv/6IFv/RTATGIPYrNWGE17dR8xmwh+Xrexz45c49cHTwVCF +VM2J0PvlcEEAscMe1bd5HqIOJm+hvvqfwWdacUPZgtsaS9F/e33vj0cCgYEAycQx +c5EQ9T82z+qMhQ/mf63kYMYDsHbv6F92Pt38V24yh8NTW5lEcV+NonDFrPVH5Vd3 +gU1lvXnG8e3Aj6EXOeEzfu9dpfdyqyZXIU2hbRPYuha+goBd03pM8+YEIgJX3ktu +1Q+G6uMrSLVbe+l06OEcYmvj8xGNWrk/3+ZiB3kCgYEA15+c92xjLSgcbDTyKU3O +Pj0Gr/Pilf7u0ratZlowew3DdMbToxK+PogkqKQ5oKXxZ6Vet9R6AJCQtxIGKxKN +x/sRvOdBL5OScYeUT2zzxbFeZzODGNm8hZFViS6nfq1ibARtk8Gaai5Q3tZm6/3c +IzDI7VCyBiS6LS0EyeVSqa8CgYBRmM6G9jvtcssv+qMpjOyi5iheGraTPwZ262Re +uFe85Av7a7riaHGNiB83enP3JpsU3PKvkCV9IyqZ3JTrgTJrbe/tfdBZtmDhZngG +N+b4vfYADAKvtEo9pFBKstMpDdmLROZltAnUJFr05KNC0X8+Twuzof5l5stLzW9P +lVQ/wQKBgQDT4ixRRx4DlMMzBXNRTkUuZloEhZtLC5xj71KhE7OeOdJ0e6DHJMg3 +VDVQk+y3Qc+8Hh9yxMK/zrYLdHSVyvHTk+7AbppLGX7ZtyLm/gVq3l3VjWKmXKbm +ZT+3+2gqVyjr/p69T7/aLexvfzU5LdjwO7SQFNB4qZaG74WpGAlkMg== +-----END RSA PRIVATE KEY----- diff --git a/boring/test/root-ca-2.pem b/boring/test/root-ca-2.pem new file mode 100644 index 00000000..3b4deaf6 --- /dev/null +++ b/boring/test/root-ca-2.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDSzCCAjOgAwIBAgIUOQyKTQXHMKXZgwc5iktVZkL7hfwwDQYJKoZIhvcNAQEL +BQAwRzELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxIzAhBgNVBAoM +GkludGVybmV0IFdpZGdpdHMgUHR5IEx0ZCAyMB4XDTIzMTIwNDEwMzA0N1oXDTIz +MTIxNDEwMzA0N1owRzELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx +IzAhBgNVBAoMGkludGVybmV0IFdpZGdpdHMgUHR5IEx0ZCAyMIIBIjANBgkqhkiG +9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwSgPW00nGOTje0FHm1HXT3ANHjW3HGPbxiMS +RvSoBEdv8R9e0PoKjse0xQsa5nKolbUhJBS6dkH+13VPOs6e+vZyXD6OYQfi2e42 +Mw0SPFl5g2qUfy/17q3ipqPJnT6YHhGpx/P91F7yjDAF2MvNRGQ/6AYWD4MUr6+5 +vPHEYhQ/JlAKcN/uWUM+bg2mwMNpmuGRV1tg0hKl9nT1fX1i6OSszPLIY1dC0eHv +2gRh1unrXNoYA76xohiwcJYAAPjrx167S8td8gmWnOwYnCnGIw2ceNpEQv4/bEvt +KiLGOu4HUO/xa7emy1QZgJth5TqQf0pwPEJC0mV5LFoXtlOpjwIDAQABoy8wLTAd +BgNVHQ4EFgQU1rQttC2Y2T0HZAjzRkacyFLVBr8wDAYDVR0TBAUwAwEB/zANBgkq +hkiG9w0BAQsFAAOCAQEAsVucQLIzAKHwN/4ZuVOPpfy/B3+i/Stu2tvNhBxWpbh9 +RQTa0ylpDfaAOLr+TfxCyT0/NmblK4QWxN6AJ5AZS9fVnstLhInafv7So0n3LCg5 +eQkVcQtMdwHucfMw/iz7r229mOHBbK6cnZhu72rcnn7N/RlU+iEucfi6jO+r9iD1 +y20glRta+wEqIBg7nGhulOwwdHVkX7ulpnXIqNCgNvU7/Mp7J+CxuWmeZKLvUQAh +D/gHs9kOPK4izN9QBrRwbiyTaD8G7kFlVWD1tPXrOhBdE1L4OJWvUDSfO0DKueIW +aQa2fFsR1iPuFX/jeTuPk5X2+u5eH4pXj13NEqKvOA== +-----END CERTIFICATE----- diff --git a/boring/test/root-ca-cross.pem b/boring/test/root-ca-cross.pem new file mode 100644 index 00000000..244ea4b9 --- /dev/null +++ b/boring/test/root-ca-cross.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDajCCAlKgAwIBAgIUSYINSQdbr8yzV186s/zQj+2zol8wDQYJKoZIhvcNAQEL +BQAwRzELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxIzAhBgNVBAoM +GkludGVybmV0IFdpZGdpdHMgUHR5IEx0ZCAyMB4XDTI0MDEwMzEwMzUyM1oXDTI2 +MDgxMjEwMzUyM1owRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx +ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBAK1R1hZ+di25dZefXsXbmZ7VUmcg2KcwzQ/kti1H +Dun0QVoVf9Ss6MfthmabW7jBpnyN4gJ29AhU+Lgt5AZEEJV6JxgE0lcmhUxUfo6v +5XNEj/vQXe0gV4niFXiF5WNU75cCL49zbcPc1/rHEwOEl8R+jNKyr/YEzrm9rwjE +h3hdel/A0K+F7GbkK+wqe49SOGqjicmqeSU5eYo5hvHJ7tJ/vFHEZQc8vfXS1iRt +AHyN1USXVqRkzVWfdmhX390aStxf1iNoKd6ldcp0QCrr5p3Bgtyw72H3HNnYLHNT +ehX6vBiK5IEaG+ngXJJQx6dXdNty8K3vlWlQ0qNf/2O9lBcCAwEAAaNQME4wHQYD +VR0OBBYEFGzTpQOrDV8syY2KnIiniHe4N/2aMB8GA1UdIwQYMBaAFNa0LbQtmNk9 +B2QI80ZGnMhS1Qa/MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBALw+ +mUsLEoqk6eI4jGv5TPP56RPMRdI+wwmQ8+sQ4DIOzDErkIIQMtoP3aqU6kstHrfY +RZ2tJSWfKb9GcE2SL5VtHQCjSJLsE7f+fTpCFn41q0QMsXF22IOxT2eDvK4Kb496 +NVulV6DhsHmbSjo6kla9U3Zqv4WiqLTNj757j+YgmplZQNx8vT5HkPIUi20IxEKV +m6CtPa0M2c2Hl/Y9v006AHmaXnabGvwnLsK92NV0oQb6KnB0mxOrL8od765SF9T0 +OXiNK/2ilN2UB1ft16GI/tU+2N+sTmW9/+S5lExfG/S3qXJwc1l4OC9tH9CxOtYt +6Q+cAmgl6qxF3ltltCM= +-----END CERTIFICATE-----