commit d389dba04f66deb3dd1831ed96b6843a9eee1309 (tree)
parent 9856bea34e9d7eca6dfc2e883d46f24a53265dc6
Author: Andrew Kelley <andrew@ziglang.org>
Date: Mon, 16 Jan 2023 00:24:03 -0500
Merge pull request #14329 from ziglang/v1-ssl-certificates
support v1/v2 SSL certificates and search more Linux directories for certificates
Diffstat:
2 files changed, 106 insertions(+), 16 deletions(-)
diff --git a/lib/std/crypto/Certificate.zig b/lib/std/crypto/Certificate.zig
@@ -3,6 +3,8 @@ index: u32,
pub const Bundle = @import("Certificate/Bundle.zig");
+pub const Version = enum { v1, v2, v3 };
+
pub const Algorithm = enum {
sha1WithRSAEncryption,
sha224WithRSAEncryption,
@@ -130,6 +132,7 @@ pub const Parsed = struct {
message_slice: Slice,
subject_alt_name_slice: Slice,
validity: Validity,
+ version: Version,
pub const PubKeyAlgo = union(AlgorithmCategory) {
rsaEncryption: void,
@@ -299,9 +302,12 @@ pub fn parse(cert: Certificate) !Parsed {
const cert_bytes = cert.buffer;
const certificate = try der.Element.parse(cert_bytes, cert.index);
const tbs_certificate = try der.Element.parse(cert_bytes, certificate.slice.start);
- const version = try der.Element.parse(cert_bytes, tbs_certificate.slice.start);
- try checkVersion(cert_bytes, version);
- const serial_number = try der.Element.parse(cert_bytes, version.slice.end);
+ const version_elem = try der.Element.parse(cert_bytes, tbs_certificate.slice.start);
+ const version = try parseVersion(cert_bytes, version_elem);
+ const serial_number = if (@bitCast(u8, version_elem.identifier) == 0xa0)
+ try der.Element.parse(cert_bytes, version_elem.slice.end)
+ else
+ version_elem;
// RFC 5280, section 4.1.2.3:
// "This field MUST contain the same algorithm identifier as
// the signatureAlgorithm field in the sequence Certificate."
@@ -370,6 +376,9 @@ pub fn parse(cert: Certificate) !Parsed {
// Extensions
var subject_alt_name_slice = der.Element.Slice.empty;
ext: {
+ if (version == .v1)
+ break :ext;
+
if (pub_key_info.slice.end >= tbs_certificate.slice.end)
break :ext;
@@ -415,6 +424,7 @@ pub fn parse(cert: Certificate) !Parsed {
.not_after = not_after_utc,
},
.subject_alt_name_slice = subject_alt_name_slice,
+ .version = version,
};
}
@@ -588,12 +598,24 @@ fn parseEnum(comptime E: type, bytes: []const u8, element: der.Element) !E {
return E.map.get(oid_bytes) orelse return error.CertificateHasUnrecognizedObjectId;
}
-pub fn checkVersion(bytes: []const u8, version: der.Element) !void {
- if (@bitCast(u8, version.identifier) != 0xa0 or
- !mem.eql(u8, bytes[version.slice.start..version.slice.end], "\x02\x01\x02"))
- {
- return error.UnsupportedCertificateVersion;
+pub fn parseVersion(bytes: []const u8, version_elem: der.Element) !Version {
+ if (@bitCast(u8, version_elem.identifier) != 0xa0)
+ return .v1;
+
+ if (version_elem.slice.end - version_elem.slice.start != 3)
+ return error.CertificateFieldHasInvalidLength;
+
+ const encoded_version = bytes[version_elem.slice.start..version_elem.slice.end];
+
+ if (mem.eql(u8, encoded_version, "\x02\x01\x02")) {
+ return .v3;
+ } else if (mem.eql(u8, encoded_version, "\x02\x01\x01")) {
+ return .v2;
+ } else if (mem.eql(u8, encoded_version, "\x02\x01\x00")) {
+ return .v1;
}
+
+ return error.UnsupportedCertificateVersion;
}
fn verifyRsa(
diff --git a/lib/std/crypto/Certificate/Bundle.zig b/lib/std/crypto/Certificate/Bundle.zig
@@ -68,29 +68,93 @@ pub fn rescan(cb: *Bundle, gpa: Allocator) !void {
}
pub fn rescanLinux(cb: *Bundle, gpa: Allocator) !void {
- var dir = fs.openIterableDirAbsolute("/etc/ssl/certs", .{}) catch |err| switch (err) {
- error.FileNotFound => return,
- else => |e| return e,
+ // Possible certificate files; stop after finding one.
+ const cert_file_paths = [_][]const u8{
+ "/etc/ssl/certs/ca-certificates.crt", // Debian/Ubuntu/Gentoo etc.
+ "/etc/pki/tls/certs/ca-bundle.crt", // Fedora/RHEL 6
+ "/etc/ssl/ca-bundle.pem", // OpenSUSE
+ "/etc/pki/tls/cacert.pem", // OpenELEC
+ "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", // CentOS/RHEL 7
+ "/etc/ssl/cert.pem", // Alpine Linux
+ };
+
+ // Possible directories with certificate files; all will be read.
+ const cert_dir_paths = [_][]const u8{
+ "/etc/ssl/certs", // SLES10/SLES11
+ "/etc/pki/tls/certs", // Fedora/RHEL
+ "/system/etc/security/cacerts", // Android
};
- defer dir.close();
cb.bytes.clearRetainingCapacity();
cb.map.clearRetainingCapacity();
- var it = dir.iterate();
+ scan: {
+ for (cert_file_paths) |cert_file_path| {
+ if (addCertsFromFilePathAbsolute(cb, gpa, cert_file_path)) |_| {
+ break :scan;
+ } else |err| switch (err) {
+ error.FileNotFound => continue,
+ else => |e| return e,
+ }
+ }
+
+ for (cert_dir_paths) |cert_dir_path| {
+ addCertsFromDirPathAbsolute(cb, gpa, cert_dir_path) catch |err| switch (err) {
+ error.FileNotFound => continue,
+ else => |e| return e,
+ };
+ }
+ }
+
+ cb.bytes.shrinkAndFree(gpa, cb.bytes.items.len);
+}
+
+pub fn addCertsFromDirPath(
+ cb: *Bundle,
+ gpa: Allocator,
+ dir: fs.Dir,
+ sub_dir_path: []const u8,
+) !void {
+ var iterable_dir = try dir.openIterableDir(sub_dir_path, .{});
+ defer iterable_dir.close();
+ return addCertsFromDir(cb, gpa, iterable_dir);
+}
+
+pub fn addCertsFromDirPathAbsolute(
+ cb: *Bundle,
+ gpa: Allocator,
+ abs_dir_path: []const u8,
+) !void {
+ assert(fs.path.isAbsolute(abs_dir_path));
+ var iterable_dir = try fs.openIterableDirAbsolute(abs_dir_path, .{});
+ defer iterable_dir.close();
+ return addCertsFromDir(cb, gpa, iterable_dir);
+}
+
+pub fn addCertsFromDir(cb: *Bundle, gpa: Allocator, iterable_dir: fs.IterableDir) !void {
+ var it = iterable_dir.iterate();
while (try it.next()) |entry| {
switch (entry.kind) {
.File, .SymLink => {},
else => continue,
}
- try addCertsFromFile(cb, gpa, dir.dir, entry.name);
+ try addCertsFromFilePath(cb, gpa, iterable_dir.dir, entry.name);
}
+}
- cb.bytes.shrinkAndFree(gpa, cb.bytes.items.len);
+pub fn addCertsFromFilePathAbsolute(
+ cb: *Bundle,
+ gpa: Allocator,
+ abs_file_path: []const u8,
+) !void {
+ assert(fs.path.isAbsolute(abs_file_path));
+ var file = try fs.openFileAbsolute(abs_file_path, .{});
+ defer file.close();
+ return addCertsFromFile(cb, gpa, file);
}
-pub fn addCertsFromFile(
+pub fn addCertsFromFilePath(
cb: *Bundle,
gpa: Allocator,
dir: fs.Dir,
@@ -98,7 +162,10 @@ pub fn addCertsFromFile(
) !void {
var file = try dir.openFile(sub_file_path, .{});
defer file.close();
+ return addCertsFromFile(cb, gpa, file);
+}
+pub fn addCertsFromFile(cb: *Bundle, gpa: Allocator, file: fs.File) !void {
const size = try file.getEndPos();
// We borrow `bytes` as a temporary buffer for the base64-encoded data.
@@ -152,6 +219,7 @@ pub fn addCertsFromFile(
const builtin = @import("builtin");
const std = @import("../../std.zig");
+const assert = std.debug.assert;
const fs = std.fs;
const mem = std.mem;
const crypto = std.crypto;