From 89e13be325d713c64d99311f8c47d66ddeb9be3e Mon Sep 17 00:00:00 2001 From: Dirkjan Ochtman Date: Thu, 29 Feb 2024 13:39:12 +0100 Subject: [PATCH] Create Certificates via methods on CertificateParams --- rcgen/examples/rsa-irc-openssl.rs | 4 +- rcgen/examples/rsa-irc.rs | 4 +- rcgen/examples/sign-leaf-with-ca.rs | 4 +- rcgen/examples/simple.rs | 6 +- rcgen/src/certificate.rs | 100 +++++++++++++--------------- rcgen/src/lib.rs | 7 +- rcgen/tests/botan.rs | 43 ++++++------ rcgen/tests/generic.rs | 16 ++--- rcgen/tests/openssl.rs | 34 +++++----- rcgen/tests/util.rs | 7 +- rcgen/tests/webpki.rs | 54 +++++++-------- rustls-cert-gen/src/cert.rs | 6 +- 12 files changed, 141 insertions(+), 144 deletions(-) diff --git a/rcgen/examples/rsa-irc-openssl.rs b/rcgen/examples/rsa-irc-openssl.rs index a2f143b0..c1a37afa 100644 --- a/rcgen/examples/rsa-irc-openssl.rs +++ b/rcgen/examples/rsa-irc-openssl.rs @@ -1,5 +1,5 @@ fn main() -> Result<(), Box> { - use rcgen::{date_time_ymd, Certificate, CertificateParams, DistinguishedName}; + use rcgen::{date_time_ymd, CertificateParams, DistinguishedName}; use std::fmt::Write; use std::fs; @@ -12,7 +12,7 @@ fn main() -> Result<(), Box> { let key_pair_pem = String::from_utf8(pkey.private_key_to_pem_pkcs8()?)?; let key_pair = rcgen::KeyPair::from_pem(&key_pair_pem)?; - let cert = Certificate::generate_self_signed(params, &key_pair)?; + let cert = params.self_signed(&key_pair)?; let pem_serialized = cert.pem(); let pem = pem::parse(&pem_serialized)?; let der_serialized = pem.contents(); diff --git a/rcgen/examples/rsa-irc.rs b/rcgen/examples/rsa-irc.rs index 3c38962b..e8a8cca4 100644 --- a/rcgen/examples/rsa-irc.rs +++ b/rcgen/examples/rsa-irc.rs @@ -3,7 +3,7 @@ fn main() -> Result<(), Box> { use rsa::pkcs8::EncodePrivateKey; use rsa::RsaPrivateKey; - use rcgen::{date_time_ymd, Certificate, CertificateParams, DistinguishedName}; + use rcgen::{date_time_ymd, CertificateParams, DistinguishedName}; use std::fmt::Write; use std::fs; @@ -18,7 +18,7 @@ fn main() -> Result<(), Box> { let private_key_der = private_key.to_pkcs8_der()?; let key_pair = rcgen::KeyPair::try_from(private_key_der.as_bytes()).unwrap(); - let cert = Certificate::generate_self_signed(params, &key_pair)?; + let cert = params.self_signed(&key_pair)?; let pem_serialized = cert.pem(); let pem = pem::parse(&pem_serialized)?; let der_serialized = pem.contents(); diff --git a/rcgen/examples/sign-leaf-with-ca.rs b/rcgen/examples/sign-leaf-with-ca.rs index 218c99e3..820d8f72 100644 --- a/rcgen/examples/sign-leaf-with-ca.rs +++ b/rcgen/examples/sign-leaf-with-ca.rs @@ -36,7 +36,7 @@ fn new_ca() -> Certificate { params.not_after = tomorrow; let key_pair = KeyPair::generate().unwrap(); - Certificate::generate_self_signed(params, &key_pair).unwrap() + params.self_signed(&key_pair).unwrap() } fn new_end_entity() -> Certificate { @@ -53,7 +53,7 @@ fn new_end_entity() -> Certificate { params.not_after = tomorrow; let key_pair = KeyPair::generate().unwrap(); - Certificate::generate_self_signed(params, &key_pair).unwrap() + params.self_signed(&key_pair).unwrap() } fn validity_period() -> (OffsetDateTime, OffsetDateTime) { diff --git a/rcgen/examples/simple.rs b/rcgen/examples/simple.rs index e5ee9fe0..927583a5 100644 --- a/rcgen/examples/simple.rs +++ b/rcgen/examples/simple.rs @@ -1,6 +1,4 @@ -use rcgen::{ - date_time_ymd, Certificate, CertificateParams, DistinguishedName, DnType, KeyPair, SanType, -}; +use rcgen::{date_time_ymd, CertificateParams, DistinguishedName, DnType, KeyPair, SanType}; use std::fs; fn main() -> Result<(), Box> { @@ -20,7 +18,7 @@ fn main() -> Result<(), Box> { ]; let key_pair = KeyPair::generate()?; - let cert = Certificate::generate_self_signed(params, &key_pair)?; + let cert = params.self_signed(&key_pair)?; let pem_serialized = cert.pem(); let pem = pem::parse(&pem_serialized)?; diff --git a/rcgen/src/certificate.rs b/rcgen/src/certificate.rs index 46720010..a6311e7f 100644 --- a/rcgen/src/certificate.rs +++ b/rcgen/src/certificate.rs @@ -27,52 +27,6 @@ pub struct Certificate { } impl Certificate { - /// Generates a new self-signed certificate from the given parameters. - /// - /// The returned [`Certificate`] may be serialized using [`Certificate::der`] and - /// [`Certificate::pem`]. - pub fn generate_self_signed( - params: CertificateParams, - key_pair: &KeyPair, - ) -> Result { - let subject_public_key_info = key_pair.public_key_der(); - let der = - params.serialize_der_with_signer(key_pair, key_pair, ¶ms.distinguished_name)?; - Ok(Certificate { - params, - subject_public_key_info, - der, - }) - } - /// Generate a new certificate from the given parameters, signed by the provided issuer. - /// - /// The returned certificate will have its issuer field set to the subject of the - /// provided `issuer`, and the authority key identifier extension will be populated using - /// the subject public key of `issuer`. It will be signed by `issuer_key`. - /// - /// Note that no validation of the `issuer` certificate is performed. Rcgen will not require - /// the certificate to be a CA certificate, or have key usage extensions that allow signing. - /// - /// The returned [`Certificate`] may be serialized using [`Certificate::der`] and - /// [`Certificate::pem`]. - pub fn generate( - params: CertificateParams, - key_pair: &KeyPair, - issuer: &Certificate, - issuer_key: &KeyPair, - ) -> Result { - let subject_public_key_info = key_pair.public_key_der(); - let der = params.serialize_der_with_signer( - key_pair, - issuer_key, - &issuer.params.distinguished_name, - )?; - Ok(Certificate { - params, - subject_public_key_info, - der, - }) - } /// Returns the certificate parameters pub fn params(&self) -> &CertificateParams { &self.params @@ -214,6 +168,50 @@ impl CertificateParams { }) } + /// Generate a new certificate from the given parameters, signed by the provided issuer. + /// + /// The returned certificate will have its issuer field set to the subject of the + /// provided `issuer`, and the authority key identifier extension will be populated using + /// the subject public key of `issuer`. It will be signed by `issuer_key`. + /// + /// Note that no validation of the `issuer` certificate is performed. Rcgen will not require + /// the certificate to be a CA certificate, or have key usage extensions that allow signing. + /// + /// The returned [`Certificate`] may be serialized using [`Certificate::der`] and + /// [`Certificate::pem`]. + pub fn signed_by( + self, + key_pair: &KeyPair, + issuer: &Certificate, + issuer_key: &KeyPair, + ) -> Result { + let subject_public_key_info = key_pair.public_key_der(); + let der = self.serialize_der_with_signer( + key_pair, + issuer_key, + &issuer.params.distinguished_name, + )?; + Ok(Certificate { + params: self, + subject_public_key_info, + der, + }) + } + + /// Generates a new self-signed certificate from the given parameters. + /// + /// The returned [`Certificate`] may be serialized using [`Certificate::der`] and + /// [`Certificate::pem`]. + pub fn self_signed(self, key_pair: &KeyPair) -> Result { + let subject_public_key_info = key_pair.public_key_der(); + let der = self.serialize_der_with_signer(key_pair, key_pair, &self.distinguished_name)?; + Ok(Certificate { + params: self, + subject_public_key_info, + der, + }) + } + /// Parses an existing ca certificate from the ASCII PEM format. /// /// See [`from_ca_cert_der`](Self::from_ca_cert_der) for more details. @@ -228,7 +226,7 @@ impl CertificateParams { /// This function is only of use if you have an existing CA certificate /// you would like to use to sign a certificate generated by `rcgen`. /// By providing the constructed [`CertificateParams`] and the [`KeyPair`] - /// associated with your existing `ca_cert` you can use [`Certificate::generate()`] + /// associated with your existing `ca_cert` you can use [`CertificateParams::signed_by()`] /// or [`crate::CertificateSigningRequestParams::signed_by()`] to issue new certificates /// using the CA cert. /// @@ -1328,8 +1326,7 @@ mod tests { #[cfg(windows)] fn test_windows_line_endings() { let key_pair = KeyPair::generate().unwrap(); - let cert = - Certificate::generate_self_signed(CertificateParams::default(), &key_pair).unwrap(); + let cert = CertificateParams::default().self_signed(&key_pair).unwrap(); assert!(cert.pem().contains("\r\n")); } @@ -1337,8 +1334,7 @@ mod tests { #[cfg(not(windows))] fn test_not_windows_line_endings() { let key_pair = KeyPair::generate().unwrap(); - let cert = - Certificate::generate_self_signed(CertificateParams::default(), &key_pair).unwrap(); + let cert = CertificateParams::default().self_signed(&key_pair).unwrap(); assert!(!cert.pem().contains('\r')); } } @@ -1445,7 +1441,7 @@ PITGdT9dgN88nHPCle0B1+OY+OZ5 ); let kp = KeyPair::from_pem(ca_key).unwrap(); - let ca_cert = Certificate::generate_self_signed(params, &kp).unwrap(); + let ca_cert = params.self_signed(&kp).unwrap(); assert_eq!(&expected_ski, &ca_cert.key_identifier()); let (_remainder, x509) = x509_parser::parse_x509_certificate(ca_cert.der()).unwrap(); diff --git a/rcgen/src/lib.rs b/rcgen/src/lib.rs index f1f57488..190f2ba7 100644 --- a/rcgen/src/lib.rs +++ b/rcgen/src/lib.rs @@ -5,8 +5,8 @@ This crate provides a way to generate self signed X.509 certificates. The most simple way of using this crate is by calling the [`generate_simple_self_signed`] function. -For more customization abilities, we provide the lower level -[`Certificate::generate_self_signed`] and [`Certificate::generate`] functions. +For more customization abilities, construct a [`CertificateParams`] and +a key pair to call [`CertificateParams::signed_by()`] or [`CertificateParams::self_signed()`]. */ #![cfg_attr( feature = "pem", @@ -124,8 +124,7 @@ pub fn generate_simple_self_signed( subject_alt_names: impl Into>, ) -> Result { let key_pair = KeyPair::generate()?; - let cert = - Certificate::generate_self_signed(CertificateParams::new(subject_alt_names)?, &key_pair)?; + let cert = CertificateParams::new(subject_alt_names)?.self_signed(&key_pair)?; Ok(CertifiedKey { cert, key_pair }) } diff --git a/rcgen/tests/botan.rs b/rcgen/tests/botan.rs index 2e66cead..ea559374 100644 --- a/rcgen/tests/botan.rs +++ b/rcgen/tests/botan.rs @@ -50,7 +50,7 @@ fn check_cert_ca(cert_der: &[u8], _cert: &Certificate, ca_der: &[u8]) { #[test] fn test_botan() { let (params, key_pair) = default_params(); - let cert = Certificate::generate_self_signed(params, &key_pair).unwrap(); + let cert = params.self_signed(&key_pair).unwrap(); // Now verify the certificate. check_cert(cert.der(), &cert); @@ -60,7 +60,7 @@ fn test_botan() { fn test_botan_256() { let (params, _) = default_params(); let key_pair = KeyPair::generate_for(&rcgen::PKCS_ECDSA_P256_SHA256).unwrap(); - let cert = Certificate::generate_self_signed(params, &key_pair).unwrap(); + let cert = params.self_signed(&key_pair).unwrap(); // Now verify the certificate. check_cert(cert.der(), &cert); @@ -70,7 +70,7 @@ fn test_botan_256() { fn test_botan_384() { let (params, _) = default_params(); let key_pair = KeyPair::generate_for(&rcgen::PKCS_ECDSA_P384_SHA384).unwrap(); - let cert = Certificate::generate_self_signed(params, &key_pair).unwrap(); + let cert = params.self_signed(&key_pair).unwrap(); // Now verify the certificate. check_cert(cert.der(), &cert); @@ -80,7 +80,7 @@ fn test_botan_384() { fn test_botan_25519() { let (params, _) = default_params(); let key_pair = KeyPair::generate_for(&rcgen::PKCS_ED25519).unwrap(); - let cert = Certificate::generate_self_signed(params, &key_pair).unwrap(); + let cert = params.self_signed(&key_pair).unwrap(); // Now verify the certificate. check_cert(cert.der(), &cert); @@ -90,7 +90,7 @@ fn test_botan_25519() { fn test_botan_25519_v1_given() { let (params, _) = default_params(); let key_pair = KeyPair::from_pem(util::ED25519_TEST_KEY_PAIR_PEM_V1).unwrap(); - let cert = Certificate::generate_self_signed(params, &key_pair).unwrap(); + let cert = params.self_signed(&key_pair).unwrap(); // Now verify the certificate. check_cert(cert.der(), &cert); @@ -100,7 +100,7 @@ fn test_botan_25519_v1_given() { fn test_botan_25519_v2_given() { let (params, _) = default_params(); let key_pair = KeyPair::from_pem(util::ED25519_TEST_KEY_PAIR_PEM_V2).unwrap(); - let cert = Certificate::generate_self_signed(params, &key_pair).unwrap(); + let cert = params.self_signed(&key_pair).unwrap(); // Now verify the certificate. check_cert(cert.der(), &cert); @@ -110,7 +110,7 @@ fn test_botan_25519_v2_given() { fn test_botan_rsa_given() { let (params, _) = default_params(); let key_pair = KeyPair::from_pem(util::RSA_TEST_KEY_PAIR_PEM).unwrap(); - let cert = Certificate::generate_self_signed(params, &key_pair).unwrap(); + let cert = params.self_signed(&key_pair).unwrap(); // Now verify the certificate. check_cert(cert.der(), &cert); @@ -120,7 +120,7 @@ fn test_botan_rsa_given() { fn test_botan_separate_ca() { let (mut params, ca_key) = default_params(); params.is_ca = IsCa::Ca(BasicConstraints::Unconstrained); - let ca_cert = Certificate::generate_self_signed(params, &ca_key).unwrap(); + let ca_cert = params.self_signed(&ca_key).unwrap(); let mut params = CertificateParams::new(vec!["crabs.crabs".to_string()]).unwrap(); params @@ -133,7 +133,7 @@ fn test_botan_separate_ca() { params.not_after = rcgen::date_time_ymd(3016, 1, 1); let key_pair = KeyPair::generate().unwrap(); - let cert = Certificate::generate(params, &key_pair, &ca_cert, &ca_key).unwrap(); + let cert = params.signed_by(&key_pair, &ca_cert, &ca_key).unwrap(); check_cert_ca(cert.der(), &cert, ca_cert.der()); } @@ -142,13 +142,12 @@ fn test_botan_separate_ca() { fn test_botan_imported_ca() { let (mut params, ca_key) = default_params(); params.is_ca = IsCa::Ca(BasicConstraints::Unconstrained); - let ca_cert = Certificate::generate_self_signed(params, &ca_key).unwrap(); + let ca_cert = params.self_signed(&ca_key).unwrap(); let ca_cert_der = ca_cert.der(); let imported_ca_cert_params = CertificateParams::from_ca_cert_der(ca_cert_der).unwrap(); - let imported_ca_cert = - Certificate::generate_self_signed(imported_ca_cert_params, &ca_key).unwrap(); + let imported_ca_cert = imported_ca_cert_params.self_signed(&ca_key).unwrap(); let mut params = CertificateParams::new(vec!["crabs.crabs".to_string()]).unwrap(); params @@ -161,7 +160,9 @@ fn test_botan_imported_ca() { params.not_after = rcgen::date_time_ymd(3016, 1, 1); let key_pair = KeyPair::generate().unwrap(); - let cert = Certificate::generate(params, &key_pair, &imported_ca_cert, &ca_key).unwrap(); + let cert = params + .signed_by(&key_pair, &imported_ca_cert, &ca_key) + .unwrap(); check_cert_ca(cert.der(), &cert, ca_cert_der); } @@ -174,13 +175,14 @@ fn test_botan_imported_ca_with_printable_string() { DnValue::PrintableString("US".try_into().unwrap()), ); params.is_ca = IsCa::Ca(BasicConstraints::Unconstrained); - let ca_cert = Certificate::generate_self_signed(params, &imported_ca_key).unwrap(); + let ca_cert = params.self_signed(&imported_ca_key).unwrap(); let ca_cert_der = ca_cert.der(); let imported_ca_cert_params = CertificateParams::from_ca_cert_der(ca_cert_der).unwrap(); - let imported_ca_cert = - Certificate::generate_self_signed(imported_ca_cert_params, &imported_ca_key).unwrap(); + let imported_ca_cert = imported_ca_cert_params + .self_signed(&imported_ca_key) + .unwrap(); let mut params = CertificateParams::new(vec!["crabs.crabs".to_string()]).unwrap(); params @@ -192,8 +194,9 @@ fn test_botan_imported_ca_with_printable_string() { // Botan has a sanity check that enforces a maximum expiration date params.not_after = rcgen::date_time_ymd(3016, 1, 1); let key_pair = KeyPair::generate().unwrap(); - let cert = - Certificate::generate(params, &key_pair, &imported_ca_cert, &imported_ca_key).unwrap(); + let cert = params + .signed_by(&key_pair, &imported_ca_cert, &imported_ca_key) + .unwrap(); check_cert_ca(cert.der(), &cert, ca_cert_der); } @@ -210,7 +213,7 @@ fn test_botan_crl_parse() { KeyUsagePurpose::CrlSign, ]; let issuer_key = KeyPair::generate_for(alg).unwrap(); - let issuer = Certificate::generate_self_signed(issuer, &issuer_key).unwrap(); + let issuer = issuer.self_signed(&issuer_key).unwrap(); // Create an end entity cert issued by the issuer. let (mut ee, _) = util::default_params(); @@ -219,7 +222,7 @@ fn test_botan_crl_parse() { // Botan has a sanity check that enforces a maximum expiration date ee.not_after = rcgen::date_time_ymd(3016, 1, 1); let ee_key = KeyPair::generate_for(alg).unwrap(); - let ee = Certificate::generate(ee, &ee_key, &issuer, &issuer_key).unwrap(); + let ee = ee.signed_by(&ee_key, &issuer, &issuer_key).unwrap(); let botan_ee = botan::Certificate::load(ee.der()).unwrap(); // Generate a CRL with the issuer that revokes the EE cert. diff --git a/rcgen/tests/generic.rs b/rcgen/tests/generic.rs index d541d85b..144ec88d 100644 --- a/rcgen/tests/generic.rs +++ b/rcgen/tests/generic.rs @@ -38,7 +38,7 @@ mod test_key_params_mismatch { #[cfg(feature = "x509-parser")] mod test_convert_x509_subject_alternative_name { - use rcgen::{BasicConstraints, Certificate, CertificateParams, IsCa, SanType}; + use rcgen::{BasicConstraints, CertificateParams, IsCa, SanType}; use std::net::{IpAddr, Ipv4Addr}; #[test] @@ -54,7 +54,7 @@ mod test_convert_x509_subject_alternative_name { // Because we're using a function for CA certificates params.is_ca = IsCa::Ca(BasicConstraints::Unconstrained); - let cert = Certificate::generate_self_signed(params, &ca_key).unwrap(); + let cert = params.self_signed(&ca_key).unwrap(); // Serialize our cert that has our chosen san, so we can testing parsing/deserializing it. let ca_der = cert.der(); @@ -68,7 +68,7 @@ mod test_convert_x509_subject_alternative_name { mod test_x509_custom_ext { use crate::util; - use rcgen::{Certificate, CustomExtension}; + use rcgen::CustomExtension; use x509_parser::oid_registry::asn1_rs; use x509_parser::prelude::{ FromDer, ParsedCriAttribute, X509Certificate, X509CertificationRequest, @@ -93,7 +93,7 @@ mod test_x509_custom_ext { // Ensure the custom exts. being omitted into a CSR doesn't require SAN ext being present. // See https://github.com/rustls/rcgen/issues/122 params.subject_alt_names = Vec::default(); - let test_cert = Certificate::generate_self_signed(params, &test_key).unwrap(); + let test_cert = params.self_signed(&test_key).unwrap(); let (_, x509_test_cert) = X509Certificate::from_der(test_cert.der()).unwrap(); // We should be able to find the extension by OID, with expected criticality and value. @@ -295,7 +295,7 @@ mod test_parse_crl_dps { mod test_parse_ia5string_subject { use crate::util; use rcgen::DnType::CustomDnType; - use rcgen::{Certificate, CertificateParams, DistinguishedName, DnValue}; + use rcgen::{CertificateParams, DistinguishedName, DnValue}; #[test] fn parse_ia5string_subject() { @@ -308,7 +308,7 @@ mod test_parse_ia5string_subject { email_address_dn_type.clone(), email_address_dn_value.clone(), ); - let cert = Certificate::generate_self_signed(params, &key_pair).unwrap(); + let cert = params.self_signed(&key_pair).unwrap(); let cert_der = cert.der(); // We should be able to parse the certificate with x509-parser. @@ -329,7 +329,7 @@ mod test_parse_ia5string_subject { #[cfg(feature = "x509-parser")] mod test_parse_other_name_alt_name { - use rcgen::{Certificate, CertificateParams, KeyPair, SanType}; + use rcgen::{CertificateParams, KeyPair, SanType}; #[test] fn parse_other_name_alt_name() { @@ -339,7 +339,7 @@ mod test_parse_other_name_alt_name { params.subject_alt_names.push(other_name.clone()); let key_pair = KeyPair::generate().unwrap(); - let cert = Certificate::generate_self_signed(params, &key_pair).unwrap(); + let cert = params.self_signed(&key_pair).unwrap(); let cert_der = cert.der(); diff --git a/rcgen/tests/openssl.rs b/rcgen/tests/openssl.rs index b25c83e6..8462fbc5 100644 --- a/rcgen/tests/openssl.rs +++ b/rcgen/tests/openssl.rs @@ -173,14 +173,14 @@ fn verify_csr(cert: &Certificate, key_pair: &KeyPair) { #[test] fn test_openssl() { let (params, key_pair) = util::default_params(); - let cert = Certificate::generate_self_signed(params, &key_pair).unwrap(); + let cert = params.self_signed(&key_pair).unwrap(); verify_cert(&cert, &key_pair); } #[test] fn test_request() { let (params, key_pair) = util::default_params(); - let cert = Certificate::generate_self_signed(params, &key_pair).unwrap(); + let cert = params.self_signed(&key_pair).unwrap(); verify_csr(&cert, &key_pair); } @@ -188,7 +188,7 @@ fn test_request() { fn test_openssl_256() { let (params, _) = util::default_params(); let key_pair = KeyPair::generate_for(&rcgen::PKCS_ECDSA_P256_SHA256).unwrap(); - let cert = Certificate::generate_self_signed(params, &key_pair).unwrap(); + let cert = params.self_signed(&key_pair).unwrap(); // Now verify the certificate. verify_cert(&cert, &key_pair); @@ -199,7 +199,7 @@ fn test_openssl_256() { fn test_openssl_384() { let (params, _) = util::default_params(); let key_pair = KeyPair::generate_for(&rcgen::PKCS_ECDSA_P384_SHA384).unwrap(); - let cert = Certificate::generate_self_signed(params, &key_pair).unwrap(); + let cert = params.self_signed(&key_pair).unwrap(); // Now verify the certificate. verify_cert(&cert, &key_pair); @@ -210,7 +210,7 @@ fn test_openssl_384() { fn test_openssl_25519() { let (params, _) = util::default_params(); let key_pair = KeyPair::generate_for(&rcgen::PKCS_ED25519).unwrap(); - let cert = Certificate::generate_self_signed(params, &key_pair).unwrap(); + let cert = params.self_signed(&key_pair).unwrap(); // Now verify the certificate. // TODO openssl doesn't support v2 keys (yet) @@ -224,7 +224,7 @@ fn test_openssl_25519() { fn test_openssl_25519_v1_given() { let (params, _) = util::default_params(); let key_pair = rcgen::KeyPair::from_pem(util::ED25519_TEST_KEY_PAIR_PEM_V1).unwrap(); - let cert = Certificate::generate_self_signed(params, &key_pair).unwrap(); + let cert = params.self_signed(&key_pair).unwrap(); // Now verify the certificate as well as CSR, // but only on OpenSSL >= 1.1.1 @@ -242,7 +242,7 @@ fn test_openssl_25519_v1_given() { fn test_openssl_25519_v2_given() { let (params, _) = util::default_params(); let key_pair = rcgen::KeyPair::from_pem(util::ED25519_TEST_KEY_PAIR_PEM_V2).unwrap(); - let cert = Certificate::generate_self_signed(params, &key_pair).unwrap(); + let cert = params.self_signed(&key_pair).unwrap(); // Now verify the certificate. // TODO openssl doesn't support v2 keys (yet) @@ -256,7 +256,7 @@ fn test_openssl_25519_v2_given() { fn test_openssl_rsa_given() { let (params, _) = util::default_params(); let key_pair = KeyPair::from_pem(util::RSA_TEST_KEY_PAIR_PEM).unwrap(); - let cert = Certificate::generate_self_signed(params, &key_pair).unwrap(); + let cert = params.self_signed(&key_pair).unwrap(); // Now verify the certificate. verify_cert(&cert, &key_pair); @@ -274,7 +274,7 @@ fn test_openssl_rsa_combinations_given() { for (i, alg) in alg_list.iter().enumerate() { let (params, _) = util::default_params(); let key_pair = KeyPair::from_pem_and_sign_algo(util::RSA_TEST_KEY_PAIR_PEM, alg).unwrap(); - let cert = Certificate::generate_self_signed(params, &key_pair).unwrap(); + let cert = params.self_signed(&key_pair).unwrap(); // Now verify the certificate. if i >= 4 { @@ -292,7 +292,7 @@ fn test_openssl_rsa_combinations_given() { fn test_openssl_separate_ca() { let (mut params, ca_key) = util::default_params(); params.is_ca = IsCa::Ca(BasicConstraints::Unconstrained); - let ca_cert = Certificate::generate_self_signed(params, &ca_key).unwrap(); + let ca_cert = params.self_signed(&ca_key).unwrap(); let ca_cert_pem = ca_cert.pem(); let mut params = CertificateParams::new(vec!["crabs.crabs".to_string()]).unwrap(); @@ -303,7 +303,7 @@ fn test_openssl_separate_ca() { .distinguished_name .push(DnType::CommonName, "Dev domain"); let cert_key = KeyPair::generate().unwrap(); - let cert = Certificate::generate(params, &cert_key, &ca_cert, &ca_key).unwrap(); + let cert = params.signed_by(&cert_key, &ca_cert, &ca_key).unwrap(); let key = cert_key.serialize_der(); verify_cert_ca(&cert.pem(), &key, &ca_cert_pem); @@ -317,7 +317,7 @@ fn test_openssl_separate_ca_with_printable_string() { DnValue::PrintableString("US".try_into().unwrap()), ); params.is_ca = IsCa::Ca(BasicConstraints::Unconstrained); - let ca_cert = Certificate::generate_self_signed(params, &ca_key).unwrap(); + let ca_cert = params.self_signed(&ca_key).unwrap(); let mut params = CertificateParams::new(vec!["crabs.crabs".to_string()]).unwrap(); params @@ -327,7 +327,7 @@ fn test_openssl_separate_ca_with_printable_string() { .distinguished_name .push(DnType::CommonName, "Dev domain"); let cert_key = KeyPair::generate().unwrap(); - let cert = Certificate::generate(params, &cert_key, &ca_cert, &ca_key).unwrap(); + let cert = params.signed_by(&cert_key, &ca_cert, &ca_key).unwrap(); let key = cert_key.serialize_der(); verify_cert_ca(&cert.pem(), &key, &ca_cert.pem()); @@ -338,7 +338,7 @@ fn test_openssl_separate_ca_with_other_signing_alg() { let (mut params, _) = util::default_params(); params.is_ca = IsCa::Ca(BasicConstraints::Unconstrained); let ca_key = KeyPair::generate_for(&rcgen::PKCS_ECDSA_P256_SHA256).unwrap(); - let ca_cert = Certificate::generate_self_signed(params, &ca_key).unwrap(); + let ca_cert = params.self_signed(&ca_key).unwrap(); let mut params = CertificateParams::new(vec!["crabs.crabs".to_string()]).unwrap(); params @@ -348,7 +348,7 @@ fn test_openssl_separate_ca_with_other_signing_alg() { .distinguished_name .push(DnType::CommonName, "Dev domain"); let cert_key = KeyPair::generate_for(&rcgen::PKCS_ECDSA_P384_SHA384).unwrap(); - let cert = Certificate::generate(params, &cert_key, &ca_cert, &ca_key).unwrap(); + let cert = params.signed_by(&cert_key, &ca_cert, &ca_key).unwrap(); let key = cert_key.serialize_der(); verify_cert_ca(&cert.pem(), &key, &ca_cert.pem()); @@ -368,7 +368,7 @@ fn test_openssl_separate_ca_name_constraints() { //excluded_subtrees : vec![GeneralSubtree::DnsName(".v".to_string())], excluded_subtrees: Vec::new(), }); - let ca_cert = Certificate::generate_self_signed(params, &ca_key).unwrap(); + let ca_cert = params.self_signed(&ca_key).unwrap(); let mut params = CertificateParams::new(vec!["crabs.crabs".to_string()]).unwrap(); params @@ -378,7 +378,7 @@ fn test_openssl_separate_ca_name_constraints() { .distinguished_name .push(DnType::CommonName, "Dev domain"); let cert_key = KeyPair::generate().unwrap(); - let cert = Certificate::generate(params, &cert_key, &ca_cert, &ca_key).unwrap(); + let cert = params.signed_by(&cert_key, &ca_cert, &ca_key).unwrap(); let key = cert_key.serialize_der(); verify_cert_ca(&cert.pem(), &key, &ca_cert.pem()); diff --git a/rcgen/tests/util.rs b/rcgen/tests/util.rs index 26cdddca..1378757b 100644 --- a/rcgen/tests/util.rs +++ b/rcgen/tests/util.rs @@ -91,7 +91,7 @@ pub fn test_crl() -> (CertificateRevocationList, Certificate, KeyPair) { KeyUsagePurpose::DigitalSignature, KeyUsagePurpose::CrlSign, ]; - let issuer = Certificate::generate_self_signed(issuer, &key_pair).unwrap(); + let issuer = issuer.self_signed(&key_pair).unwrap(); let now = OffsetDateTime::now_utc(); let next_week = now + Duration::weeks(1); @@ -135,8 +135,5 @@ pub fn cert_with_crl_dps() -> Vec { }, ]; - Certificate::generate_self_signed(params, &key_pair) - .unwrap() - .der() - .to_vec() + params.self_signed(&key_pair).unwrap().der().to_vec() } diff --git a/rcgen/tests/webpki.rs b/rcgen/tests/webpki.rs index 8c3fefc7..93c2a9f9 100644 --- a/rcgen/tests/webpki.rs +++ b/rcgen/tests/webpki.rs @@ -114,7 +114,7 @@ fn check_cert_ca<'a, 'b>( #[test] fn test_webpki() { let (params, key_pair) = util::default_params(); - let cert = Certificate::generate_self_signed(params, &key_pair).unwrap(); + let cert = params.self_signed(&key_pair).unwrap(); // Now verify the certificate. let sign_fn = @@ -132,7 +132,7 @@ fn test_webpki() { fn test_webpki_256() { let (params, _) = util::default_params(); let key_pair = KeyPair::generate_for(&rcgen::PKCS_ECDSA_P256_SHA256).unwrap(); - let cert = Certificate::generate_self_signed(params, &key_pair).unwrap(); + let cert = params.self_signed(&key_pair).unwrap(); // Now verify the certificate. let sign_fn = |cert, msg| sign_msg_ecdsa(cert, msg, &signature::ECDSA_P256_SHA256_ASN1_SIGNING); @@ -149,7 +149,7 @@ fn test_webpki_256() { fn test_webpki_384() { let (params, _) = util::default_params(); let key_pair = KeyPair::generate_for(&rcgen::PKCS_ECDSA_P384_SHA384).unwrap(); - let cert = Certificate::generate_self_signed(params, &key_pair).unwrap(); + let cert = params.self_signed(&key_pair).unwrap(); // Now verify the certificate. let sign_fn = |cert, msg| sign_msg_ecdsa(cert, msg, &signature::ECDSA_P384_SHA384_ASN1_SIGNING); @@ -166,7 +166,7 @@ fn test_webpki_384() { fn test_webpki_25519() { let (params, _) = util::default_params(); let key_pair = KeyPair::generate_for(&rcgen::PKCS_ED25519).unwrap(); - let cert = Certificate::generate_self_signed(params, &key_pair).unwrap(); + let cert = params.self_signed(&key_pair).unwrap(); // Now verify the certificate. check_cert( @@ -183,7 +183,7 @@ fn test_webpki_25519() { fn test_webpki_25519_v1_given() { let (params, _) = util::default_params(); let key_pair = rcgen::KeyPair::from_pem(util::ED25519_TEST_KEY_PAIR_PEM_V1).unwrap(); - let cert = Certificate::generate_self_signed(params, &key_pair).unwrap(); + let cert = params.self_signed(&key_pair).unwrap(); // Now verify the certificate. check_cert( @@ -200,7 +200,7 @@ fn test_webpki_25519_v1_given() { fn test_webpki_25519_v2_given() { let (params, _) = util::default_params(); let key_pair = rcgen::KeyPair::from_pem(util::ED25519_TEST_KEY_PAIR_PEM_V2).unwrap(); - let cert = Certificate::generate_self_signed(params, &key_pair).unwrap(); + let cert = params.self_signed(&key_pair).unwrap(); // Now verify the certificate. check_cert( @@ -217,7 +217,7 @@ fn test_webpki_25519_v2_given() { fn test_webpki_rsa_given() { let (params, _) = util::default_params(); let key_pair = rcgen::KeyPair::from_pem(util::RSA_TEST_KEY_PAIR_PEM).unwrap(); - let cert = Certificate::generate_self_signed(params, &key_pair).unwrap(); + let cert = params.self_signed(&key_pair).unwrap(); // Now verify the certificate. check_cert( @@ -254,7 +254,7 @@ fn test_webpki_rsa_combinations_given() { let (params, _) = util::default_params(); let key_pair = rcgen::KeyPair::from_pem_and_sign_algo(util::RSA_TEST_KEY_PAIR_PEM, c.0).unwrap(); - let cert = Certificate::generate_self_signed(params, &key_pair).unwrap(); + let cert = params.self_signed(&key_pair).unwrap(); // Now verify the certificate. check_cert(cert.der(), &cert, &key_pair, c.1, |msg, cert| { @@ -267,7 +267,7 @@ fn test_webpki_rsa_combinations_given() { fn test_webpki_separate_ca() { let (mut params, ca_key) = util::default_params(); params.is_ca = IsCa::Ca(BasicConstraints::Unconstrained); - let ca_cert = Certificate::generate_self_signed(params, &ca_key).unwrap(); + let ca_cert = params.self_signed(&ca_key).unwrap(); let mut params = CertificateParams::new(vec!["crabs.crabs".to_string()]).unwrap(); params @@ -278,7 +278,7 @@ fn test_webpki_separate_ca() { .push(DnType::CommonName, "Dev domain"); let key_pair = KeyPair::generate().unwrap(); - let cert = Certificate::generate(params, &key_pair, &ca_cert, &ca_key).unwrap(); + let cert = params.signed_by(&key_pair, &ca_cert, &ca_key).unwrap(); let sign_fn = |cert, msg| sign_msg_ecdsa(cert, msg, &signature::ECDSA_P256_SHA256_ASN1_SIGNING); check_cert_ca( cert.der(), @@ -295,7 +295,7 @@ fn test_webpki_separate_ca_with_other_signing_alg() { let (mut params, _) = util::default_params(); params.is_ca = IsCa::Ca(BasicConstraints::Unconstrained); let ca_key = KeyPair::generate_for(&rcgen::PKCS_ECDSA_P256_SHA256).unwrap(); - let ca_cert = Certificate::generate_self_signed(params, &ca_key).unwrap(); + let ca_cert = params.self_signed(&ca_key).unwrap(); let mut params = CertificateParams::new(vec!["crabs.crabs".to_string()]).unwrap(); params @@ -306,7 +306,7 @@ fn test_webpki_separate_ca_with_other_signing_alg() { .push(DnType::CommonName, "Dev domain"); let key_pair = KeyPair::generate_for(&rcgen::PKCS_ED25519).unwrap(); - let cert = Certificate::generate(params, &key_pair, &ca_cert, &ca_key).unwrap(); + let cert = params.signed_by(&key_pair, &ca_cert, &ca_key).unwrap(); check_cert_ca( cert.der(), &key_pair, @@ -356,7 +356,7 @@ fn from_remote() { let remote = KeyPair::from_remote(Box::new(Remote(remote))).unwrap(); let (params, _) = util::default_params(); - let cert = Certificate::generate_self_signed(params, &remote).unwrap(); + let cert = params.self_signed(&remote).unwrap(); // Now verify the certificate. let sign_fn = move |_, msg| { @@ -416,13 +416,12 @@ fn test_webpki_separate_ca_name_constraints() { fn test_webpki_imported_ca() { let (mut params, ca_key) = util::default_params(); params.is_ca = IsCa::Ca(BasicConstraints::Unconstrained); - let ca_cert = Certificate::generate_self_signed(params, &ca_key).unwrap(); + let ca_cert = params.self_signed(&ca_key).unwrap(); let ca_cert_der = ca_cert.der(); let imported_ca_cert_params = CertificateParams::from_ca_cert_der(ca_cert_der).unwrap(); - let imported_ca_cert = - Certificate::generate_self_signed(imported_ca_cert_params, &ca_key).unwrap(); + let imported_ca_cert = imported_ca_cert_params.self_signed(&ca_key).unwrap(); let mut params = CertificateParams::new(vec!["crabs.crabs".to_string()]).unwrap(); params @@ -432,7 +431,9 @@ fn test_webpki_imported_ca() { .distinguished_name .push(DnType::CommonName, "Dev domain"); let cert_key = KeyPair::generate().unwrap(); - let cert = Certificate::generate(params, &cert_key, &imported_ca_cert, &ca_key).unwrap(); + let cert = params + .signed_by(&cert_key, &imported_ca_cert, &ca_key) + .unwrap(); let sign_fn = |cert, msg| sign_msg_ecdsa(cert, msg, &signature::ECDSA_P256_SHA256_ASN1_SIGNING); check_cert_ca( @@ -454,13 +455,12 @@ fn test_webpki_imported_ca_with_printable_string() { DnValue::PrintableString("US".try_into().unwrap()), ); params.is_ca = IsCa::Ca(BasicConstraints::Unconstrained); - let ca_cert = Certificate::generate_self_signed(params, &ca_key).unwrap(); + let ca_cert = params.self_signed(&ca_key).unwrap(); let ca_cert_der = ca_cert.der(); let imported_ca_cert_params = CertificateParams::from_ca_cert_der(ca_cert_der).unwrap(); - let imported_ca_cert = - Certificate::generate_self_signed(imported_ca_cert_params, &ca_key).unwrap(); + let imported_ca_cert = imported_ca_cert_params.self_signed(&ca_key).unwrap(); let mut params = CertificateParams::new(vec!["crabs.crabs".to_string()]).unwrap(); params @@ -470,7 +470,9 @@ fn test_webpki_imported_ca_with_printable_string() { .distinguished_name .push(DnType::CommonName, "Dev domain"); let cert_key = KeyPair::generate().unwrap(); - let cert = Certificate::generate(params, &cert_key, &imported_ca_cert, &ca_key).unwrap(); + let cert = params + .signed_by(&cert_key, &imported_ca_cert, &ca_key) + .unwrap(); let sign_fn = |cert, msg| sign_msg_ecdsa(cert, msg, &signature::ECDSA_P256_SHA256_ASN1_SIGNING); check_cert_ca( @@ -494,13 +496,13 @@ fn test_certificate_from_csr() { .distinguished_name .push(DnType::CommonName, "Dev domain"); let cert_key = KeyPair::generate().unwrap(); - let cert = Certificate::generate_self_signed(params, &cert_key).unwrap(); + let cert = params.self_signed(&cert_key).unwrap(); let csr_der = cert.serialize_request_der(&cert_key).unwrap(); let csr = CertificateSigningRequestParams::from_der(&csr_der).unwrap(); let (mut params, ca_key) = util::default_params(); params.is_ca = IsCa::Ca(BasicConstraints::Unconstrained); - let ca_cert = Certificate::generate_self_signed(params, &ca_key).unwrap(); + let ca_cert = params.self_signed(&ca_key).unwrap(); let cert = csr.signed_by(&ca_cert, &ca_key).unwrap(); let sign_fn = @@ -519,7 +521,7 @@ fn test_certificate_from_csr() { fn test_webpki_serial_number() { let (mut params, key_pair) = util::default_params(); params.serial_number = Some(vec![0, 1, 2].into()); - let cert = Certificate::generate_self_signed(params, &key_pair).unwrap(); + let cert = params.self_signed(&key_pair).unwrap(); // Now verify the certificate. let sign_fn = |cert, msg| sign_msg_ecdsa(cert, msg, &signature::ECDSA_P256_SHA256_ASN1_SIGNING); @@ -579,7 +581,7 @@ fn test_webpki_crl_revoke() { KeyUsagePurpose::CrlSign, ]; let issuer_key = KeyPair::generate_for(alg).unwrap(); - let issuer = Certificate::generate_self_signed(issuer, &issuer_key).unwrap(); + let issuer = issuer.self_signed(&issuer_key).unwrap(); // Create an end entity cert issued by the issuer. let (mut ee, _) = util::default_params(); @@ -587,7 +589,7 @@ fn test_webpki_crl_revoke() { ee.extended_key_usages = vec![ExtendedKeyUsagePurpose::ClientAuth]; ee.serial_number = Some(SerialNumber::from(99999)); let ee_key = KeyPair::generate_for(alg).unwrap(); - let ee = Certificate::generate(ee, &ee_key, &issuer, &issuer_key).unwrap(); + let ee = ee.signed_by(&ee_key, &issuer, &issuer_key).unwrap(); // Set up webpki's verification requirements. let ca_der = CertificateDer::from(issuer.der()); diff --git a/rustls-cert-gen/src/cert.rs b/rustls-cert-gen/src/cert.rs index ec225482..3cb88f1c 100644 --- a/rustls-cert-gen/src/cert.rs +++ b/rustls-cert-gen/src/cert.rs @@ -107,7 +107,7 @@ impl CaBuilder { /// build `Ca` Certificate. pub fn build(self) -> Result { let key_pair = self.alg.to_key_pair()?; - let cert = Certificate::generate_self_signed(self.params, &key_pair)?; + let cert = self.params.self_signed(&key_pair)?; Ok(Ca { cert, key_pair }) } } @@ -197,7 +197,9 @@ impl EndEntityBuilder { /// build `EndEntity` Certificate. pub fn build(self, issuer: &Ca) -> Result { let key_pair = self.alg.to_key_pair()?; - let cert = Certificate::generate(self.params, &key_pair, &issuer.cert, &issuer.key_pair)?; + let cert = self + .params + .signed_by(&key_pair, &issuer.cert, &issuer.key_pair)?; Ok(EndEntity { cert, key_pair }) } }