1 //! Add extensions to an `X509` certificate or certificate request.
2 //!
3 //! The extensions defined for X.509 v3 certificates provide methods for
4 //! associating additional attributes with users or public keys and for
5 //! managing relationships between CAs. The extensions created using this
6 //! module can be used with `X509v3Context` objects.
7 //!
8 //! # Example
9 //!
10 //! ```rust
11 //! use openssl::x509::extension::BasicConstraints;
12 //! use openssl::x509::X509Extension;
13 //!
14 //! let mut bc = BasicConstraints::new();
15 //! let bc = bc.critical().ca().pathlen(1);
16 //!
17 //! let extension: X509Extension = bc.build().unwrap();
18 //! ```
19 use std::fmt::Write;
20
21 use crate::asn1::Asn1Object;
22 use crate::error::ErrorStack;
23 use crate::nid::Nid;
24 use crate::x509::{GeneralName, Stack, X509Extension, X509v3Context};
25 use foreign_types::ForeignType;
26
27 /// An extension which indicates whether a certificate is a CA certificate.
28 pub struct BasicConstraints {
29 critical: bool,
30 ca: bool,
31 pathlen: Option<u32>,
32 }
33
34 impl Default for BasicConstraints {
default() -> BasicConstraints35 fn default() -> BasicConstraints {
36 BasicConstraints::new()
37 }
38 }
39
40 impl BasicConstraints {
41 /// Construct a new `BasicConstraints` extension.
new() -> BasicConstraints42 pub fn new() -> BasicConstraints {
43 BasicConstraints {
44 critical: false,
45 ca: false,
46 pathlen: None,
47 }
48 }
49
50 /// Sets the `critical` flag to `true`. The extension will be critical.
critical(&mut self) -> &mut BasicConstraints51 pub fn critical(&mut self) -> &mut BasicConstraints {
52 self.critical = true;
53 self
54 }
55
56 /// Sets the `ca` flag to `true`.
ca(&mut self) -> &mut BasicConstraints57 pub fn ca(&mut self) -> &mut BasicConstraints {
58 self.ca = true;
59 self
60 }
61
62 /// Sets the `pathlen` to an optional non-negative value. The `pathlen` is the
63 /// maximum number of CAs that can appear below this one in a chain.
pathlen(&mut self, pathlen: u32) -> &mut BasicConstraints64 pub fn pathlen(&mut self, pathlen: u32) -> &mut BasicConstraints {
65 self.pathlen = Some(pathlen);
66 self
67 }
68
69 /// Return the `BasicConstraints` extension as an `X509Extension`.
70 // Temporarily silence the deprecation warning - this should be ported to
71 // `X509Extension::new_internal`.
72 #[allow(deprecated)]
build(&self) -> Result<X509Extension, ErrorStack>73 pub fn build(&self) -> Result<X509Extension, ErrorStack> {
74 let mut value = String::new();
75 if self.critical {
76 value.push_str("critical,");
77 }
78 value.push_str("CA:");
79 if self.ca {
80 value.push_str("TRUE");
81 } else {
82 value.push_str("FALSE");
83 }
84 if let Some(pathlen) = self.pathlen {
85 write!(value, ",pathlen:{}", pathlen).unwrap();
86 }
87 X509Extension::new_nid(None, None, Nid::BASIC_CONSTRAINTS, &value)
88 }
89 }
90
91 /// An extension consisting of a list of names of the permitted key usages.
92 pub struct KeyUsage {
93 critical: bool,
94 digital_signature: bool,
95 non_repudiation: bool,
96 key_encipherment: bool,
97 data_encipherment: bool,
98 key_agreement: bool,
99 key_cert_sign: bool,
100 crl_sign: bool,
101 encipher_only: bool,
102 decipher_only: bool,
103 }
104
105 impl Default for KeyUsage {
default() -> KeyUsage106 fn default() -> KeyUsage {
107 KeyUsage::new()
108 }
109 }
110
111 impl KeyUsage {
112 /// Construct a new `KeyUsage` extension.
new() -> KeyUsage113 pub fn new() -> KeyUsage {
114 KeyUsage {
115 critical: false,
116 digital_signature: false,
117 non_repudiation: false,
118 key_encipherment: false,
119 data_encipherment: false,
120 key_agreement: false,
121 key_cert_sign: false,
122 crl_sign: false,
123 encipher_only: false,
124 decipher_only: false,
125 }
126 }
127
128 /// Sets the `critical` flag to `true`. The extension will be critical.
critical(&mut self) -> &mut KeyUsage129 pub fn critical(&mut self) -> &mut KeyUsage {
130 self.critical = true;
131 self
132 }
133
134 /// Sets the `digitalSignature` flag to `true`.
digital_signature(&mut self) -> &mut KeyUsage135 pub fn digital_signature(&mut self) -> &mut KeyUsage {
136 self.digital_signature = true;
137 self
138 }
139
140 /// Sets the `nonRepudiation` flag to `true`.
non_repudiation(&mut self) -> &mut KeyUsage141 pub fn non_repudiation(&mut self) -> &mut KeyUsage {
142 self.non_repudiation = true;
143 self
144 }
145
146 /// Sets the `keyEncipherment` flag to `true`.
key_encipherment(&mut self) -> &mut KeyUsage147 pub fn key_encipherment(&mut self) -> &mut KeyUsage {
148 self.key_encipherment = true;
149 self
150 }
151
152 /// Sets the `dataEncipherment` flag to `true`.
data_encipherment(&mut self) -> &mut KeyUsage153 pub fn data_encipherment(&mut self) -> &mut KeyUsage {
154 self.data_encipherment = true;
155 self
156 }
157
158 /// Sets the `keyAgreement` flag to `true`.
key_agreement(&mut self) -> &mut KeyUsage159 pub fn key_agreement(&mut self) -> &mut KeyUsage {
160 self.key_agreement = true;
161 self
162 }
163
164 /// Sets the `keyCertSign` flag to `true`.
key_cert_sign(&mut self) -> &mut KeyUsage165 pub fn key_cert_sign(&mut self) -> &mut KeyUsage {
166 self.key_cert_sign = true;
167 self
168 }
169
170 /// Sets the `cRLSign` flag to `true`.
crl_sign(&mut self) -> &mut KeyUsage171 pub fn crl_sign(&mut self) -> &mut KeyUsage {
172 self.crl_sign = true;
173 self
174 }
175
176 /// Sets the `encipherOnly` flag to `true`.
encipher_only(&mut self) -> &mut KeyUsage177 pub fn encipher_only(&mut self) -> &mut KeyUsage {
178 self.encipher_only = true;
179 self
180 }
181
182 /// Sets the `decipherOnly` flag to `true`.
decipher_only(&mut self) -> &mut KeyUsage183 pub fn decipher_only(&mut self) -> &mut KeyUsage {
184 self.decipher_only = true;
185 self
186 }
187
188 /// Return the `KeyUsage` extension as an `X509Extension`.
189 // Temporarily silence the deprecation warning - this should be ported to
190 // `X509Extension::new_internal`.
191 #[allow(deprecated)]
build(&self) -> Result<X509Extension, ErrorStack>192 pub fn build(&self) -> Result<X509Extension, ErrorStack> {
193 let mut value = String::new();
194 let mut first = true;
195 append(&mut value, &mut first, self.critical, "critical");
196 append(
197 &mut value,
198 &mut first,
199 self.digital_signature,
200 "digitalSignature",
201 );
202 append(
203 &mut value,
204 &mut first,
205 self.non_repudiation,
206 "nonRepudiation",
207 );
208 append(
209 &mut value,
210 &mut first,
211 self.key_encipherment,
212 "keyEncipherment",
213 );
214 append(
215 &mut value,
216 &mut first,
217 self.data_encipherment,
218 "dataEncipherment",
219 );
220 append(&mut value, &mut first, self.key_agreement, "keyAgreement");
221 append(&mut value, &mut first, self.key_cert_sign, "keyCertSign");
222 append(&mut value, &mut first, self.crl_sign, "cRLSign");
223 append(&mut value, &mut first, self.encipher_only, "encipherOnly");
224 append(&mut value, &mut first, self.decipher_only, "decipherOnly");
225 X509Extension::new_nid(None, None, Nid::KEY_USAGE, &value)
226 }
227 }
228
229 /// An extension consisting of a list of usages indicating purposes
230 /// for which the certificate public key can be used for.
231 pub struct ExtendedKeyUsage {
232 critical: bool,
233 items: Vec<String>,
234 }
235
236 impl Default for ExtendedKeyUsage {
default() -> ExtendedKeyUsage237 fn default() -> ExtendedKeyUsage {
238 ExtendedKeyUsage::new()
239 }
240 }
241
242 impl ExtendedKeyUsage {
243 /// Construct a new `ExtendedKeyUsage` extension.
new() -> ExtendedKeyUsage244 pub fn new() -> ExtendedKeyUsage {
245 ExtendedKeyUsage {
246 critical: false,
247 items: vec![],
248 }
249 }
250
251 /// Sets the `critical` flag to `true`. The extension will be critical.
critical(&mut self) -> &mut ExtendedKeyUsage252 pub fn critical(&mut self) -> &mut ExtendedKeyUsage {
253 self.critical = true;
254 self
255 }
256
257 /// Sets the `serverAuth` flag to `true`.
server_auth(&mut self) -> &mut ExtendedKeyUsage258 pub fn server_auth(&mut self) -> &mut ExtendedKeyUsage {
259 self.other("serverAuth")
260 }
261
262 /// Sets the `clientAuth` flag to `true`.
client_auth(&mut self) -> &mut ExtendedKeyUsage263 pub fn client_auth(&mut self) -> &mut ExtendedKeyUsage {
264 self.other("clientAuth")
265 }
266
267 /// Sets the `codeSigning` flag to `true`.
code_signing(&mut self) -> &mut ExtendedKeyUsage268 pub fn code_signing(&mut self) -> &mut ExtendedKeyUsage {
269 self.other("codeSigning")
270 }
271
272 /// Sets the `emailProtection` flag to `true`.
email_protection(&mut self) -> &mut ExtendedKeyUsage273 pub fn email_protection(&mut self) -> &mut ExtendedKeyUsage {
274 self.other("emailProtection")
275 }
276
277 /// Sets the `timeStamping` flag to `true`.
time_stamping(&mut self) -> &mut ExtendedKeyUsage278 pub fn time_stamping(&mut self) -> &mut ExtendedKeyUsage {
279 self.other("timeStamping")
280 }
281
282 /// Sets the `msCodeInd` flag to `true`.
ms_code_ind(&mut self) -> &mut ExtendedKeyUsage283 pub fn ms_code_ind(&mut self) -> &mut ExtendedKeyUsage {
284 self.other("msCodeInd")
285 }
286
287 /// Sets the `msCodeCom` flag to `true`.
ms_code_com(&mut self) -> &mut ExtendedKeyUsage288 pub fn ms_code_com(&mut self) -> &mut ExtendedKeyUsage {
289 self.other("msCodeCom")
290 }
291
292 /// Sets the `msCTLSign` flag to `true`.
ms_ctl_sign(&mut self) -> &mut ExtendedKeyUsage293 pub fn ms_ctl_sign(&mut self) -> &mut ExtendedKeyUsage {
294 self.other("msCTLSign")
295 }
296
297 /// Sets the `msSGC` flag to `true`.
ms_sgc(&mut self) -> &mut ExtendedKeyUsage298 pub fn ms_sgc(&mut self) -> &mut ExtendedKeyUsage {
299 self.other("msSGC")
300 }
301
302 /// Sets the `msEFS` flag to `true`.
ms_efs(&mut self) -> &mut ExtendedKeyUsage303 pub fn ms_efs(&mut self) -> &mut ExtendedKeyUsage {
304 self.other("msEFS")
305 }
306
307 /// Sets the `nsSGC` flag to `true`.
ns_sgc(&mut self) -> &mut ExtendedKeyUsage308 pub fn ns_sgc(&mut self) -> &mut ExtendedKeyUsage {
309 self.other("nsSGC")
310 }
311
312 /// Sets a flag not already defined.
other(&mut self, other: &str) -> &mut ExtendedKeyUsage313 pub fn other(&mut self, other: &str) -> &mut ExtendedKeyUsage {
314 self.items.push(other.to_string());
315 self
316 }
317
318 /// Return the `ExtendedKeyUsage` extension as an `X509Extension`.
build(&self) -> Result<X509Extension, ErrorStack>319 pub fn build(&self) -> Result<X509Extension, ErrorStack> {
320 let mut stack = Stack::new()?;
321 for item in &self.items {
322 stack.push(Asn1Object::from_str(item)?)?;
323 }
324 unsafe {
325 X509Extension::new_internal(Nid::EXT_KEY_USAGE, self.critical, stack.as_ptr().cast())
326 }
327 }
328 }
329
330 /// An extension that provides a means of identifying certificates that contain a
331 /// particular public key.
332 pub struct SubjectKeyIdentifier {
333 critical: bool,
334 }
335
336 impl Default for SubjectKeyIdentifier {
default() -> SubjectKeyIdentifier337 fn default() -> SubjectKeyIdentifier {
338 SubjectKeyIdentifier::new()
339 }
340 }
341
342 impl SubjectKeyIdentifier {
343 /// Construct a new `SubjectKeyIdentifier` extension.
new() -> SubjectKeyIdentifier344 pub fn new() -> SubjectKeyIdentifier {
345 SubjectKeyIdentifier { critical: false }
346 }
347
348 /// Sets the `critical` flag to `true`. The extension will be critical.
critical(&mut self) -> &mut SubjectKeyIdentifier349 pub fn critical(&mut self) -> &mut SubjectKeyIdentifier {
350 self.critical = true;
351 self
352 }
353
354 /// Return a `SubjectKeyIdentifier` extension as an `X509Extension`.
355 // Temporarily silence the deprecation warning - this should be ported to
356 // `X509Extension::new_internal`.
357 #[allow(deprecated)]
build(&self, ctx: &X509v3Context<'_>) -> Result<X509Extension, ErrorStack>358 pub fn build(&self, ctx: &X509v3Context<'_>) -> Result<X509Extension, ErrorStack> {
359 let mut value = String::new();
360 let mut first = true;
361 append(&mut value, &mut first, self.critical, "critical");
362 append(&mut value, &mut first, true, "hash");
363 X509Extension::new_nid(None, Some(ctx), Nid::SUBJECT_KEY_IDENTIFIER, &value)
364 }
365 }
366
367 /// An extension that provides a means of identifying the public key corresponding
368 /// to the private key used to sign a CRL.
369 pub struct AuthorityKeyIdentifier {
370 critical: bool,
371 keyid: Option<bool>,
372 issuer: Option<bool>,
373 }
374
375 impl Default for AuthorityKeyIdentifier {
default() -> AuthorityKeyIdentifier376 fn default() -> AuthorityKeyIdentifier {
377 AuthorityKeyIdentifier::new()
378 }
379 }
380
381 impl AuthorityKeyIdentifier {
382 /// Construct a new `AuthorityKeyIdentifier` extension.
new() -> AuthorityKeyIdentifier383 pub fn new() -> AuthorityKeyIdentifier {
384 AuthorityKeyIdentifier {
385 critical: false,
386 keyid: None,
387 issuer: None,
388 }
389 }
390
391 /// Sets the `critical` flag to `true`. The extension will be critical.
critical(&mut self) -> &mut AuthorityKeyIdentifier392 pub fn critical(&mut self) -> &mut AuthorityKeyIdentifier {
393 self.critical = true;
394 self
395 }
396
397 /// Sets the `keyid` flag.
keyid(&mut self, always: bool) -> &mut AuthorityKeyIdentifier398 pub fn keyid(&mut self, always: bool) -> &mut AuthorityKeyIdentifier {
399 self.keyid = Some(always);
400 self
401 }
402
403 /// Sets the `issuer` flag.
issuer(&mut self, always: bool) -> &mut AuthorityKeyIdentifier404 pub fn issuer(&mut self, always: bool) -> &mut AuthorityKeyIdentifier {
405 self.issuer = Some(always);
406 self
407 }
408
409 /// Return a `AuthorityKeyIdentifier` extension as an `X509Extension`.
410 // Temporarily silence the deprecation warning - this should be ported to
411 // `X509Extension::new_internal`.
412 #[allow(deprecated)]
build(&self, ctx: &X509v3Context<'_>) -> Result<X509Extension, ErrorStack>413 pub fn build(&self, ctx: &X509v3Context<'_>) -> Result<X509Extension, ErrorStack> {
414 let mut value = String::new();
415 let mut first = true;
416 append(&mut value, &mut first, self.critical, "critical");
417 match self.keyid {
418 Some(true) => append(&mut value, &mut first, true, "keyid:always"),
419 Some(false) => append(&mut value, &mut first, true, "keyid"),
420 None => {}
421 }
422 match self.issuer {
423 Some(true) => append(&mut value, &mut first, true, "issuer:always"),
424 Some(false) => append(&mut value, &mut first, true, "issuer"),
425 None => {}
426 }
427 X509Extension::new_nid(None, Some(ctx), Nid::AUTHORITY_KEY_IDENTIFIER, &value)
428 }
429 }
430
431 enum RustGeneralName {
432 Dns(String),
433 Email(String),
434 Uri(String),
435 Ip(String),
436 Rid(String),
437 OtherName(Asn1Object, Vec<u8>),
438 }
439
440 /// An extension that allows additional identities to be bound to the subject
441 /// of the certificate.
442 pub struct SubjectAlternativeName {
443 critical: bool,
444 items: Vec<RustGeneralName>,
445 }
446
447 impl Default for SubjectAlternativeName {
default() -> SubjectAlternativeName448 fn default() -> SubjectAlternativeName {
449 SubjectAlternativeName::new()
450 }
451 }
452
453 impl SubjectAlternativeName {
454 /// Construct a new `SubjectAlternativeName` extension.
new() -> SubjectAlternativeName455 pub fn new() -> SubjectAlternativeName {
456 SubjectAlternativeName {
457 critical: false,
458 items: vec![],
459 }
460 }
461
462 /// Sets the `critical` flag to `true`. The extension will be critical.
critical(&mut self) -> &mut SubjectAlternativeName463 pub fn critical(&mut self) -> &mut SubjectAlternativeName {
464 self.critical = true;
465 self
466 }
467
468 /// Sets the `email` flag.
email(&mut self, email: &str) -> &mut SubjectAlternativeName469 pub fn email(&mut self, email: &str) -> &mut SubjectAlternativeName {
470 self.items.push(RustGeneralName::Email(email.to_string()));
471 self
472 }
473
474 /// Sets the `uri` flag.
uri(&mut self, uri: &str) -> &mut SubjectAlternativeName475 pub fn uri(&mut self, uri: &str) -> &mut SubjectAlternativeName {
476 self.items.push(RustGeneralName::Uri(uri.to_string()));
477 self
478 }
479
480 /// Sets the `dns` flag.
dns(&mut self, dns: &str) -> &mut SubjectAlternativeName481 pub fn dns(&mut self, dns: &str) -> &mut SubjectAlternativeName {
482 self.items.push(RustGeneralName::Dns(dns.to_string()));
483 self
484 }
485
486 /// Sets the `rid` flag.
rid(&mut self, rid: &str) -> &mut SubjectAlternativeName487 pub fn rid(&mut self, rid: &str) -> &mut SubjectAlternativeName {
488 self.items.push(RustGeneralName::Rid(rid.to_string()));
489 self
490 }
491
492 /// Sets the `ip` flag.
ip(&mut self, ip: &str) -> &mut SubjectAlternativeName493 pub fn ip(&mut self, ip: &str) -> &mut SubjectAlternativeName {
494 self.items.push(RustGeneralName::Ip(ip.to_string()));
495 self
496 }
497
498 /// Sets the `dirName` flag.
499 ///
500 /// Not currently actually supported, always panics.
501 #[deprecated = "dir_name is deprecated and always panics. Please file a bug if you have a use case for this."]
dir_name(&mut self, _dir_name: &str) -> &mut SubjectAlternativeName502 pub fn dir_name(&mut self, _dir_name: &str) -> &mut SubjectAlternativeName {
503 unimplemented!(
504 "This has not yet been adapted for the new internals. File a bug if you need this."
505 );
506 }
507
508 /// Sets the `otherName` flag.
509 ///
510 /// Not currently actually supported, always panics. Please use other_name2
511 #[deprecated = "other_name is deprecated and always panics. Please use other_name2."]
other_name(&mut self, _other_name: &str) -> &mut SubjectAlternativeName512 pub fn other_name(&mut self, _other_name: &str) -> &mut SubjectAlternativeName {
513 unimplemented!("This has not yet been adapted for the new internals. Use other_name2.");
514 }
515
516 /// Sets the `otherName` flag.
517 ///
518 /// `content` must be a valid der encoded ASN1_TYPE
519 ///
520 /// If you want to add just a ia5string use `other_name_ia5string`
other_name2(&mut self, oid: Asn1Object, content: &[u8]) -> &mut SubjectAlternativeName521 pub fn other_name2(&mut self, oid: Asn1Object, content: &[u8]) -> &mut SubjectAlternativeName {
522 self.items
523 .push(RustGeneralName::OtherName(oid, content.into()));
524 self
525 }
526
527 /// Return a `SubjectAlternativeName` extension as an `X509Extension`.
build(&self, _ctx: &X509v3Context<'_>) -> Result<X509Extension, ErrorStack>528 pub fn build(&self, _ctx: &X509v3Context<'_>) -> Result<X509Extension, ErrorStack> {
529 let mut stack = Stack::new()?;
530 for item in &self.items {
531 let gn = match item {
532 RustGeneralName::Dns(s) => GeneralName::new_dns(s.as_bytes())?,
533 RustGeneralName::Email(s) => GeneralName::new_email(s.as_bytes())?,
534 RustGeneralName::Uri(s) => GeneralName::new_uri(s.as_bytes())?,
535 RustGeneralName::Ip(s) => {
536 GeneralName::new_ip(s.parse().map_err(|_| ErrorStack::get())?)?
537 }
538 RustGeneralName::Rid(s) => GeneralName::new_rid(Asn1Object::from_str(s)?)?,
539 RustGeneralName::OtherName(oid, content) => {
540 GeneralName::new_other_name(oid.clone(), content)?
541 }
542 };
543 stack.push(gn)?;
544 }
545
546 unsafe {
547 X509Extension::new_internal(Nid::SUBJECT_ALT_NAME, self.critical, stack.as_ptr().cast())
548 }
549 }
550 }
551
append(value: &mut String, first: &mut bool, should: bool, element: &str)552 fn append(value: &mut String, first: &mut bool, should: bool, element: &str) {
553 if !should {
554 return;
555 }
556
557 if !*first {
558 value.push(',');
559 }
560 *first = false;
561 value.push_str(element);
562 }
563