1use bitflags::bitflags;
2use foreign_types::ForeignTypeRef;
3use libc::{c_int, c_uint, c_ulong, time_t};
4use std::net::IpAddr;
5
6use crate::error::ErrorStack;
7#[cfg(any(ossl102, boringssl))]
8use crate::x509::X509PurposeId;
9use crate::{cvt, cvt_p};
10use openssl_macros::corresponds;
11
12bitflags! {
13 /// Flags used to check an `X509` certificate.
14 #[derive(Copy, Clone, Debug, Eq, Hash, Ord, PartialEq, PartialOrd)]
15 #[repr(transparent)]
16 pub struct X509CheckFlags: c_uint {
17 const ALWAYS_CHECK_SUBJECT = ffi::X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT as _;
18 const NO_WILDCARDS = ffi::X509_CHECK_FLAG_NO_WILDCARDS as _;
19 const NO_PARTIAL_WILDCARDS = ffi::X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS as _;
20 const MULTI_LABEL_WILDCARDS = ffi::X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS as _;
21 const SINGLE_LABEL_SUBDOMAINS = ffi::X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS as _;
22 /// Requires OpenSSL 1.1.0 or newer.
23 #[cfg(any(ossl110))]
24 const NEVER_CHECK_SUBJECT = ffi::X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
25
26 #[deprecated(since = "0.10.6", note = "renamed to NO_WILDCARDS")]
27 const FLAG_NO_WILDCARDS = ffi::X509_CHECK_FLAG_NO_WILDCARDS as _;
28 }
29}
30
31bitflags! {
32 /// Flags used to verify an `X509` certificate chain.
33 #[derive(Copy, Clone, Debug, Eq, Hash, Ord, PartialEq, PartialOrd)]
34 #[repr(transparent)]
35 pub struct X509VerifyFlags: c_ulong {
36 const CB_ISSUER_CHECK = ffi::X509_V_FLAG_CB_ISSUER_CHECK as _;
37 const USE_CHECK_TIME = ffi::X509_V_FLAG_USE_CHECK_TIME as _;
38 const CRL_CHECK = ffi::X509_V_FLAG_CRL_CHECK as _;
39 const CRL_CHECK_ALL = ffi::X509_V_FLAG_CRL_CHECK_ALL as _;
40 const IGNORE_CRITICAL = ffi::X509_V_FLAG_IGNORE_CRITICAL as _;
41 const X509_STRICT = ffi::X509_V_FLAG_X509_STRICT as _;
42 const ALLOW_PROXY_CERTS = ffi::X509_V_FLAG_ALLOW_PROXY_CERTS as _;
43 const POLICY_CHECK = ffi::X509_V_FLAG_POLICY_CHECK as _;
44 const EXPLICIT_POLICY = ffi::X509_V_FLAG_EXPLICIT_POLICY as _;
45 const INHIBIT_ANY = ffi::X509_V_FLAG_INHIBIT_ANY as _;
46 const INHIBIT_MAP = ffi::X509_V_FLAG_INHIBIT_MAP as _;
47 const NOTIFY_POLICY = ffi::X509_V_FLAG_NOTIFY_POLICY as _;
48 const EXTENDED_CRL_SUPPORT = ffi::X509_V_FLAG_EXTENDED_CRL_SUPPORT as _;
49 const USE_DELTAS = ffi::X509_V_FLAG_USE_DELTAS as _;
50 const CHECK_SS_SIGNATURE = ffi::X509_V_FLAG_CHECK_SS_SIGNATURE as _;
51 #[cfg(any(ossl102, boringssl))]
52 const TRUSTED_FIRST = ffi::X509_V_FLAG_TRUSTED_FIRST as _;
53 #[cfg(ossl102)]
54 const SUITEB_128_LOS_ONLY = ffi::X509_V_FLAG_SUITEB_128_LOS_ONLY;
55 #[cfg(ossl102)]
56 const SUITEB_192_LOS = ffi::X509_V_FLAG_SUITEB_128_LOS;
57 #[cfg(ossl102)]
58 const SUITEB_128_LOS = ffi::X509_V_FLAG_SUITEB_192_LOS;
59 #[cfg(any(ossl102, boringssl))]
60 const PARTIAL_CHAIN = ffi::X509_V_FLAG_PARTIAL_CHAIN as _;
61 #[cfg(any(ossl110, boringssl))]
62 const NO_ALT_CHAINS = ffi::X509_V_FLAG_NO_ALT_CHAINS as _;
63 #[cfg(any(ossl110, boringssl))]
64 const NO_CHECK_TIME = ffi::X509_V_FLAG_NO_CHECK_TIME as _;
65 }
66}
67
68foreign_type_and_impl_send_sync! {
69 type CType = ffi::X509_VERIFY_PARAM;
70 fn drop = ffi::X509_VERIFY_PARAM_free;
71
72 /// Adjust parameters associated with certificate verification.
73 pub struct X509VerifyParam;
74 /// Reference to `X509VerifyParam`.
75 pub struct X509VerifyParamRef;
76}
77
78impl X509VerifyParam {
79 /// Create an X509VerifyParam
80 #[corresponds(X509_VERIFY_PARAM_new)]
81 pub fn new() -> Result<X509VerifyParam, ErrorStack> {
82 unsafe {
83 ffi::init();
84 cvt_p(ffi::X509_VERIFY_PARAM_new()).map(op:X509VerifyParam)
85 }
86 }
87}
88
89impl X509VerifyParamRef {
90 /// Set the host flags.
91 #[corresponds(X509_VERIFY_PARAM_set_hostflags)]
92 pub fn set_hostflags(&mut self, hostflags: X509CheckFlags) {
93 unsafe {
94 ffi::X509_VERIFY_PARAM_set_hostflags(self.as_ptr(), hostflags.bits());
95 }
96 }
97
98 /// Set verification flags.
99 #[corresponds(X509_VERIFY_PARAM_set_flags)]
100 pub fn set_flags(&mut self, flags: X509VerifyFlags) -> Result<(), ErrorStack> {
101 unsafe {
102 cvt(ffi::X509_VERIFY_PARAM_set_flags(
103 self.as_ptr(),
104 flags.bits(),
105 ))
106 .map(|_| ())
107 }
108 }
109
110 /// Clear verification flags.
111 #[corresponds(X509_VERIFY_PARAM_clear_flags)]
112 pub fn clear_flags(&mut self, flags: X509VerifyFlags) -> Result<(), ErrorStack> {
113 unsafe {
114 cvt(ffi::X509_VERIFY_PARAM_clear_flags(
115 self.as_ptr(),
116 flags.bits(),
117 ))
118 .map(|_| ())
119 }
120 }
121
122 /// Gets verification flags.
123 #[corresponds(X509_VERIFY_PARAM_get_flags)]
124 pub fn flags(&mut self) -> X509VerifyFlags {
125 let bits = unsafe { ffi::X509_VERIFY_PARAM_get_flags(self.as_ptr()) };
126 X509VerifyFlags::from_bits_retain(bits)
127 }
128
129 /// Set the expected DNS hostname.
130 #[corresponds(X509_VERIFY_PARAM_set1_host)]
131 pub fn set_host(&mut self, host: &str) -> Result<(), ErrorStack> {
132 unsafe {
133 // len == 0 means "run strlen" :(
134 let raw_host = if host.is_empty() { "\0" } else { host };
135 cvt(ffi::X509_VERIFY_PARAM_set1_host(
136 self.as_ptr(),
137 raw_host.as_ptr() as *const _,
138 host.len(),
139 ))
140 .map(|_| ())
141 }
142 }
143
144 /// Set the expected email address.
145 #[corresponds(X509_VERIFY_PARAM_set1_email)]
146 pub fn set_email(&mut self, email: &str) -> Result<(), ErrorStack> {
147 unsafe {
148 // len == 0 means "run strlen" :(
149 let raw_email = if email.is_empty() { "\0" } else { email };
150 cvt(ffi::X509_VERIFY_PARAM_set1_email(
151 self.as_ptr(),
152 raw_email.as_ptr() as *const _,
153 email.len(),
154 ))
155 .map(|_| ())
156 }
157 }
158
159 /// Set the expected IPv4 or IPv6 address.
160 #[corresponds(X509_VERIFY_PARAM_set1_ip)]
161 pub fn set_ip(&mut self, ip: IpAddr) -> Result<(), ErrorStack> {
162 unsafe {
163 let mut buf = [0; 16];
164 let len = match ip {
165 IpAddr::V4(addr) => {
166 buf[..4].copy_from_slice(&addr.octets());
167 4
168 }
169 IpAddr::V6(addr) => {
170 buf.copy_from_slice(&addr.octets());
171 16
172 }
173 };
174 cvt(ffi::X509_VERIFY_PARAM_set1_ip(
175 self.as_ptr(),
176 buf.as_ptr() as *const _,
177 len,
178 ))
179 .map(|_| ())
180 }
181 }
182
183 /// Set the verification time, where time is of type time_t, traditionaly defined as seconds since the epoch
184 #[corresponds(X509_VERIFY_PARAM_set_time)]
185 pub fn set_time(&mut self, time: time_t) {
186 unsafe { ffi::X509_VERIFY_PARAM_set_time(self.as_ptr(), time) }
187 }
188
189 /// Set the verification depth
190 #[corresponds(X509_VERIFY_PARAM_set_depth)]
191 pub fn set_depth(&mut self, depth: c_int) {
192 unsafe { ffi::X509_VERIFY_PARAM_set_depth(self.as_ptr(), depth) }
193 }
194
195 /// Sets the authentication security level to auth_level
196 #[corresponds(X509_VERIFY_PARAM_set_auth_level)]
197 #[cfg(ossl110)]
198 pub fn set_auth_level(&mut self, lvl: c_int) {
199 unsafe { ffi::X509_VERIFY_PARAM_set_auth_level(self.as_ptr(), lvl) }
200 }
201
202 /// Gets the current authentication security level
203 #[corresponds(X509_VERIFY_PARAM_get_auth_level)]
204 #[cfg(ossl110)]
205 pub fn auth_level(&self) -> i32 {
206 unsafe { ffi::X509_VERIFY_PARAM_get_auth_level(self.as_ptr()) }
207 }
208
209 /// Sets the verification purpose
210 #[corresponds(X509_VERIFY_PARAM_set_purpose)]
211 #[cfg(any(ossl102, boringssl))]
212 pub fn set_purpose(&mut self, purpose: X509PurposeId) -> Result<(), ErrorStack> {
213 unsafe { cvt(ffi::X509_VERIFY_PARAM_set_purpose(self.as_ptr(), purpose.0)).map(|_| ()) }
214 }
215}
216