Comments (5)
djc
commented on June 8, 2024
2
#15 (referenced above) mentions the p12 crate, which is advertised as "pure Rust".
from pemfile.
roguh
commented on June 8, 2024
I'll look into using this crate or another pure Rust PKCS12 parser: https://github.com/jack-fortanix/pkcs12
For future reference, here's how I parsed a PKCS12 with the heavy openssl crate:
let openssl_pkcs12 = openssl::pkcs12::Pkcs12::from_der(server_identity_pkcs12_der.as_slice())
.expect("Failed to parse identity file")
.parse2(password)
.expect("Failed to parse identity file with given password");
let cert = openssl_pkcs12
.cert
.expect("No TLS certificate found in identity file");
let ca_cert_chain: Vec<_> = openssl_pkcs12
.ca
.map(|stack| stack.into_iter().collect())
.expect("At least 1 CA cert is needed");
// TODO check validity of cert, etc
let private_key = openssl_pkcs12
.pkey
.expect("No TLS private key found in identity file");
println!(
"Loaded cert with Subject alt names (SNA): {:?}",
&cert.subject_alt_names().expect("Cert must have SNA field.")
);
// Rustls has no support for pkcs12
let mut cert_chain = ca_cert_chain.clone();
cert_chain.insert(0, cert);
let an_entire_pem: Vec<_> = cert_chain
.into_iter()
.map(|c| c.to_pem().unwrap())
.collect();
let der_encoded_cert_chain: Vec<tokio_rustls::rustls::Certificate> =
rustls_pemfile::certs(&mut an_entire_pem.concat().as_ref())
.expect("Parse DER")
.into_iter()
.map(|c| tokio_rustls::rustls::Certificate(c))
.collect();
let der_encoded_pkey = tokio_rustls::rustls::PrivateKey(
private_key
.private_key_to_der()
.expect("Unable to encode private key as DER"),
);
let config = ServerConfig::builder()
.with_safe_default_cipher_suites()
.with_safe_default_kx_groups()
.with_protocol_versions(&[&tokio_rustls::rustls::version::TLS13])
.expect("Unable to set TLS settings")
.with_no_client_auth()
.with_single_cert(der_encoded_cert_chain, der_encoded_pkey)
.expect("Unable to build rustls ServerConfig");
let tls_acceptor = TlsAcceptor::from(std::sync::Arc::new(config));
Cargo.toml:
openssl-sys = "0.9"
openssl = "0.10"
tokio-rustls = "0.23.4"
rustls-pemfile = "1.0.2"
You see this gives a fully parsed certificate that can be validated and you can analyze its metadata, I use this to print the cert's SNAs.
from pemfile.
djc
commented on June 8, 2024
See #15.
from pemfile.
roguh
commented on June 8, 2024
Thank you.
Also related: rusticata/x509-parser#78
from pemfile.
svanharmelen
commented on June 8, 2024
Hi @roguh 👋🏻 I'm currently trying to achieve the exact same thing openssl crate?
from pemfile.
Related Issues (7)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pemfile.