Comments (5)
#15 (referenced above) mentions the p12 crate, which is advertised as "pure Rust".
from pemfile.
I'll look into using this crate or another pure Rust PKCS12 parser: https://github.com/jack-fortanix/pkcs12
For future reference, here's how I parsed a PKCS12 with the heavy openssl crate:
let openssl_pkcs12 = openssl::pkcs12::Pkcs12::from_der(server_identity_pkcs12_der.as_slice())
.expect("Failed to parse identity file")
.parse2(password)
.expect("Failed to parse identity file with given password");
let cert = openssl_pkcs12
.cert
.expect("No TLS certificate found in identity file");
let ca_cert_chain: Vec<_> = openssl_pkcs12
.ca
.map(|stack| stack.into_iter().collect())
.expect("At least 1 CA cert is needed");
// TODO check validity of cert, etc
let private_key = openssl_pkcs12
.pkey
.expect("No TLS private key found in identity file");
println!(
"Loaded cert with Subject alt names (SNA): {:?}",
&cert.subject_alt_names().expect("Cert must have SNA field.")
);
// Rustls has no support for pkcs12
let mut cert_chain = ca_cert_chain.clone();
cert_chain.insert(0, cert);
let an_entire_pem: Vec<_> = cert_chain
.into_iter()
.map(|c| c.to_pem().unwrap())
.collect();
let der_encoded_cert_chain: Vec<tokio_rustls::rustls::Certificate> =
rustls_pemfile::certs(&mut an_entire_pem.concat().as_ref())
.expect("Parse DER")
.into_iter()
.map(|c| tokio_rustls::rustls::Certificate(c))
.collect();
let der_encoded_pkey = tokio_rustls::rustls::PrivateKey(
private_key
.private_key_to_der()
.expect("Unable to encode private key as DER"),
);
let config = ServerConfig::builder()
.with_safe_default_cipher_suites()
.with_safe_default_kx_groups()
.with_protocol_versions(&[&tokio_rustls::rustls::version::TLS13])
.expect("Unable to set TLS settings")
.with_no_client_auth()
.with_single_cert(der_encoded_cert_chain, der_encoded_pkey)
.expect("Unable to build rustls ServerConfig");
let tls_acceptor = TlsAcceptor::from(std::sync::Arc::new(config));
Cargo.toml:
openssl-sys = "0.9"
openssl = "0.10"
tokio-rustls = "0.23.4"
rustls-pemfile = "1.0.2"
You see this gives a fully parsed certificate that can be validated and you can analyze its metadata, I use this to print the cert's SNAs.
from pemfile.
See #15.
from pemfile.
Thank you.
Also related: rusticata/x509-parser#78
from pemfile.
Hi @roguh 👋🏻 I'm currently trying to achieve the exact same thing openssl
crate?
from pemfile.
Related Issues (7)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pemfile.