Expose mTLS related APIs

cloudflare · Aug 9, 2024 · c2993c6 · c2993c6
1 parent 72b343d
commit c2993c6
Show file tree

Hide file tree

Showing 2 changed files with 76 additions and 0 deletions.
diff --git a/boring/src/ssl/mod.rs b/boring/src/ssl/mod.rs
@@ -2918,6 +2918,22 @@ impl SslRef {
         unsafe { ffi::SSL_set_verify(self.as_ptr(), mode.bits() as c_int, None) }
     }
 
+    /// Sets the certificate verification depth.
+    ///
+    /// If the peer's certificate chain is longer than this value, verification will fail.
+    ///
+    /// This corresponds to [`SSL_set_verify_depth`].
+    ///
+    /// [`SSL_set_verify_depth`]: https://docs.openssl.org/1.1.1/man3/SSL_CTX_set_verify/
+    pub fn set_verify_depth(&mut self, depth: u32) {
+        #[cfg(feature = "rpk")]
+        assert!(!self.is_rpk, "This API is not supported for RPK");
+
+        unsafe {
+            ffi::SSL_set_verify_depth(self.as_ptr(), depth as c_int);
+        }
+    }
+
     /// Returns the verify mode that was set using `set_verify`.
     ///
     /// This corresponds to [`SSL_get_verify_mode`].
@@ -2975,6 +2991,24 @@ impl SslRef {
         }
     }
 
+    /// Sets a custom certificate store for verifying peer certificates.
+    ///
+    /// This corresponds to [`SSL_CTX_set0_verify_cert_store`].
+    ///
+    /// [`SSL_set0_verify_cert_store`]: https://docs.openssl.org/1.0.2/man3/SSL_CTX_set1_verify_cert_store/
+    pub fn set_verify_cert_store(&mut self, cert_store: X509Store) -> Result<(), ErrorStack> {
+        #[cfg(feature = "rpk")]
+        assert!(!self.is_rpk, "This API is not supported for RPK");
+
+        unsafe {
+            let ptr = cert_store.as_ptr();
+            cvt(ffi::SSL_set0_verify_cert_store(self.as_ptr(), ptr) as c_int)?;
+            mem::forget(cert_store);
+
+            Ok(())
+        }
+    }
+
     /// Like [`SslContextBuilder::set_custom_verify_callback`].
     ///
     /// This corresponds to [`SSL_set_custom_verify`].
@@ -3800,6 +3834,24 @@ impl SslRef {
         Ok(())
     }
 
+    /// Sets the list of CA names sent to the client.
+    ///
+    /// The CA certificates must still be added to the trust root - they are not automatically set
+    /// as trusted by this method.
+    ///
+    /// This corresponds to [`SSL_set_client_CA_list`].
+    ///
+    /// [`SSL_set_client_CA_list`]: https://docs.openssl.org/1.1.1/man3/SSL_CTX_set0_CA_list/
+    pub fn set_client_ca_list(&mut self, list: Stack<X509Name>) {
+        #[cfg(feature = "rpk")]
+        assert!(!self.is_rpk, "This API is not supported for RPK");
+
+        unsafe {
+            ffi::SSL_set_client_CA_list(self.as_ptr(), list.as_ptr());
+            mem::forget(list);
+        }
+    }
+
     /// Sets the private key.
     ///
     /// This corresponds to [`SSL_use_PrivateKey`].

diff --git a/boring/src/x509/mod.rs b/boring/src/x509/mod.rs
@@ -474,6 +474,30 @@ impl X509Ref {
         }
     }
 
+    /// Returns this certificate's subject key id.
+    ///
+    /// This corresponds to [`X509_get0_subject_key_id`].
+    ///
+    /// [`X509_get0_subject_key_id`]: https://docs.openssl.org/1.1.1/man3/X509_get_extension_flags/
+    pub fn subject_key_id(&self) -> &Asn1StringRef {
+        unsafe {
+            let name = ffi::X509_get0_subject_key_id(self.as_ptr());
+            Asn1StringRef::from_ptr(name as _)
+        }
+    }
+
+    /// Returns this certificate's authority key id.
+    ///
+    /// This corresponds to [`X509_get0_authority_key_id`].
+    ///
+    /// [`X509_get0_authority_key_id`]: https://docs.openssl.org/1.1.1/man3/X509_get_extension_flags/
+    pub fn authority_key_id(&self) -> &Asn1StringRef {
+        unsafe {
+            let name = ffi::X509_get0_authority_key_id(self.as_ptr());
+            Asn1StringRef::from_ptr(name as _)
+        }
+    }
+
     pub fn public_key(&self) -> Result<PKey<Public>, ErrorStack> {
         unsafe {
             let pkey = cvt_p(ffi::X509_get_pubkey(self.as_ptr()))?;