lib.rs (88922B)
1 //! [![git]](https://git.philomathiclife.com/postgres_rustls/log.html) [![crates-io]](https://crates.io/crates/postgres_rustls) [![docs-rs]](crate) 2 //! 3 //! [git]: https://git.philomathiclife.com/git_badge.svg 4 //! [crates-io]: https://img.shields.io/badge/crates.io-fc8d62?style=for-the-badge&labelColor=555555&logo=rust 5 //! [docs-rs]: https://img.shields.io/badge/docs.rs-66c2a5?style=for-the-badge&labelColor=555555&logo=docs.rs 6 //! 7 //! `postgres_rustls` is a library that adds TLS support to [`tokio_postgres`] using [`tokio_rustls`]. 8 #![cfg_attr(docsrs, feature(doc_cfg))] 9 #![deny( 10 unknown_lints, 11 future_incompatible, 12 let_underscore, 13 missing_docs, 14 nonstandard_style, 15 refining_impl_trait, 16 rust_2018_compatibility, 17 rust_2018_idioms, 18 rust_2021_compatibility, 19 rust_2024_compatibility, 20 unsafe_code, 21 unused, 22 warnings, 23 clippy::all, 24 clippy::cargo, 25 clippy::complexity, 26 clippy::correctness, 27 clippy::nursery, 28 clippy::pedantic, 29 clippy::perf, 30 clippy::restriction, 31 clippy::style, 32 clippy::suspicious 33 )] 34 #![expect( 35 clippy::arbitrary_source_item_ordering, 36 clippy::blanket_clippy_restriction_lints, 37 clippy::implicit_return, 38 clippy::missing_trait_methods, 39 clippy::multiple_crate_versions, 40 clippy::single_call_fn, 41 reason = "noisy, opinionated, and likely doesn't prevent bugs or improve APIs" 42 )] 43 use core::{ 44 future::Future, 45 pin::Pin, 46 task::{Context, Poll}, 47 }; 48 use sha2::{ 49 Sha224, Sha256, Sha384, Sha512, 50 digest::{Digest as _, OutputSizeUser, generic_array::GenericArray}, 51 }; 52 use std::io::{self, IoSlice}; 53 use tokio::io::{AsyncRead, AsyncWrite, ReadBuf}; 54 #[cfg(feature = "runtime")] 55 use tokio_postgres::tls::MakeTlsConnect; 56 use tokio_postgres::tls::{ChannelBinding, TlsConnect as PgTlsConnect, TlsStream as PgTlsStream}; 57 use tokio_rustls::{ 58 self, Connect, 59 client::TlsStream as RustlsStream, 60 rustls::{ 61 ClientConfig, 62 pki_types::{InvalidDnsNameError, ServerName}, 63 }, 64 }; 65 /// Hash for the leaf certificate provided by the PostgreSQL server. 66 #[expect(clippy::doc_markdown, reason = "PostgreSQL is correct")] 67 enum Hash { 68 /// SHA-256 hash. 69 Sha256(GenericArray<u8, <Sha256 as OutputSizeUser>::OutputSize>), 70 /// SHA-384 hash. 71 Sha384(GenericArray<u8, <Sha384 as OutputSizeUser>::OutputSize>), 72 /// SHA-512 hash. 73 Sha512(GenericArray<u8, <Sha512 as OutputSizeUser>::OutputSize>), 74 /// SHA-224 hash. 75 Sha224(GenericArray<u8, <Sha224 as OutputSizeUser>::OutputSize>), 76 } 77 impl From<Hash> for Vec<u8> { 78 #[inline] 79 fn from(value: Hash) -> Self { 80 match value { 81 Hash::Sha256(hash) => hash.to_vec(), 82 Hash::Sha384(hash) => hash.to_vec(), 83 Hash::Sha512(hash) => hash.to_vec(), 84 Hash::Sha224(hash) => hash.to_vec(), 85 } 86 } 87 } 88 impl Hash { 89 /// Parses `cert` as a DER-encoded X.509 v3 certifcate extracting the signature algorithm and using it to hash 90 /// `cert` (based on the underlying hash algorithm of the signature algorithm). 91 /// 92 /// Note this will return `Some` for certain invalid payloads; however when the payload is a valid 93 /// DER-encoded X.509 v3 certificate, then it is guaranteed to produce the correct hash. The idea is that 94 /// in the event the leaf certificate is invalid, then it will be rejected by `rustls` anyway thus what 95 /// this returns won't matter. We do this for simplicity and performance reasons since it allows us to 96 /// avoid parsing the entire certificate and instead _only_ care about the signature algorithm. 97 /// 98 /// The only signature algorithms supported are the following: 99 /// 100 /// * id-Ed25519 101 /// * ecdsa-with-SHA256 102 /// * sha256WithRSAEncryption 103 /// * ecdsa-with-SHA384 104 /// * sha384WithRSAEncryption 105 /// * ecdsa-with-SHA512 106 /// * sha512WithRSAEncryption 107 /// * ecdsa-with-SHA224 108 /// * sha224WithRSAEncryption 109 /// * dsa-with-SHA256 110 /// * dsa-with-SHA224 111 /// * dsa-with-SHA1 112 /// * sha1WithRSAEncryption 113 /// 114 /// More may be added; but for ones that require additional dependencies, they will be hidden behind a feature. 115 /// Additionally new ones must be supported by PostgreSQL, `tokio-postgres`, and `rustls`. For example, 116 /// PostgreSQL does not support Ed25519 certificates; however we add support for this since it does not require 117 /// additional dependencies. 118 // 119 // [RFC 5280 § 4.1](https://www.rfc-editor.org/rfc/rfc5280#section-4.1) describes the ASN.1 format 120 // of an X.509 v3 Certificate: 121 // 122 // ```asn 123 // Certificate ::= SEQUENCE { 124 // tbsCertificate TBSCertificate, 125 // signatureAlgorithm AlgorithmIdentifier, 126 // signatureValue BIT STRING } 127 // 128 // TBSCertificate ::= SEQUENCE { … } 129 // 130 // AlgorithmIdentifier ::= SEQUENCE { 131 // algorithm OBJECT IDENTIFIER, 132 // parameters ANY DEFINED BY algorithm OPTIONAL } 133 // ``` 134 // 135 // [ITU-T X.690](https://www.itu.int/rec/T-REC-X.690-202102-I/en) 136 // describes how DER-encoding works. 137 #[expect( 138 clippy::arithmetic_side_effects, 139 clippy::big_endian_bytes, 140 clippy::indexing_slicing, 141 reason = "comments justify their correctness" 142 )] 143 #[expect(clippy::too_many_lines, reason = "inflated by the const slices")] 144 #[expect(clippy::doc_markdown, reason = "PostgreSQL is correct")] 145 fn from_der_cert(cert: &[u8]) -> Option<Self> { 146 /// [RFC 8410 § 9](https://www.rfc-editor.org/rfc/rfc8410#section-9) 147 /// defines id-Ed25519 as 1.3.101.112. This is encoded as below per X.690 § 8.19. 148 const ED25519: &[u8] = [43, 101, 112].as_slice(); 149 /// [RFC 5912 § 6](https://www.rfc-editor.org/rfc/rfc5912.html#section-6) 150 /// defines ecdsa-with-SHA256 as 1.2.840.10045.4.3.2. This is encoded as 151 /// below per X.690 § 8.19. 152 const ECDSA_SHA256: &[u8] = [42, 134, 72, 206, 61, 4, 3, 2].as_slice(); 153 /// [RFC 8017 § Appendix C](https://www.rfc-editor.org/rfc/rfc8017#appendix-C) 154 /// defines sha256WithRSAEncryption as 1.2.840.113549.1.1.11. This is encoded as 155 /// below per X.690 § 8.19. 156 const RSA_SHA256: &[u8] = [42, 134, 72, 134, 247, 13, 1, 1, 11].as_slice(); 157 /// [RFC 5912 § 6](https://www.rfc-editor.org/rfc/rfc5912.html#section-6) 158 /// defines dsa-with-SHA256 as 2.16.840.1.101.3.4.3.2. This is encoded as 159 /// below per X.690 § 8.19. 160 const DSA_SHA256: &[u8] = [96, 134, 72, 1, 101, 3, 4, 3, 2].as_slice(); 161 /// [RFC 5912 § 6](https://www.rfc-editor.org/rfc/rfc5912.html#section-6) 162 /// defines dsa-with-SHA1 as 1.2.840.10040.4.3. This is encoded as 163 /// below per X.690 § 8.19. 164 const DSA_SHA1: &[u8] = [42, 134, 72, 206, 56, 4, 3].as_slice(); 165 /// [RFC 8017 § Appendix C](https://www.rfc-editor.org/rfc/rfc8017#appendix-C) 166 /// defines sha1WithRSAEncryption as 1.2.840.113549.1.1.5. This is encoded as 167 /// below per X.690 § 8.19. 168 const RSA_SHA1: &[u8] = [42, 134, 72, 134, 247, 13, 1, 1, 5].as_slice(); 169 /// [RFC 5912 § 6](https://www.rfc-editor.org/rfc/rfc5912.html#section-6) 170 /// defines ecdsa-with-SHA384 as 1.2.840.10045.4.3.3. This is encoded as 171 /// below per X.690 § 8.19. 172 const ECDSA_SHA384: &[u8] = [42, 134, 72, 206, 61, 4, 3, 3].as_slice(); 173 /// [RFC 8017 § Appendix C](https://www.rfc-editor.org/rfc/rfc8017#appendix-C) 174 /// defines sha384WithRSAEncryption as 1.2.840.113549.1.1.12. This is encoded as 175 /// below per X.690 § 8.19. 176 const RSA_SHA384: &[u8] = [42, 134, 72, 134, 247, 13, 1, 1, 12].as_slice(); 177 /// [RFC 5912 § 6](https://www.rfc-editor.org/rfc/rfc5912.html#section-6) 178 /// defines ecdsa-with-SHA512 as 1.2.840.10045.4.3.4. This is encoded as 179 /// below per X.690 § 8.19. 180 const ECDSA_SHA512: &[u8] = [42, 134, 72, 206, 61, 4, 3, 4].as_slice(); 181 /// [RFC 8017 § Appendix C](https://www.rfc-editor.org/rfc/rfc8017#appendix-C) 182 /// defines sha512WithRSAEncryption as 1.2.840.113549.1.1.13. This is encoded as 183 /// below per X.690 § 8.19. 184 const RSA_SHA512: &[u8] = [42, 134, 72, 134, 247, 13, 1, 1, 13].as_slice(); 185 /// [RFC 5912 § 6](https://www.rfc-editor.org/rfc/rfc5912.html#section-6) 186 /// defines ecdsa-with-SHA224 as 1.2.840.10045.4.3.1. This is encoded as 187 /// below per X.690 § 8.19. 188 const ECDSA_SHA224: &[u8] = [42, 134, 72, 206, 61, 4, 3, 1].as_slice(); 189 /// [RFC 8017 § Appendix C](https://www.rfc-editor.org/rfc/rfc8017#appendix-C) 190 /// defines sha224WithRSAEncryption as 1.2.840.113549.1.1.14. This is encoded as 191 /// below per X.690 § 8.19. 192 const RSA_SHA224: &[u8] = [42, 134, 72, 134, 247, 13, 1, 1, 14].as_slice(); 193 /// [RFC 5912 § 6](https://www.rfc-editor.org/rfc/rfc5912.html#section-6) 194 /// defines dsa-with-SHA224 as 2.16.840.1.101.3.4.3.1. This is encoded as 195 /// below per X.690 § 8.19. 196 const DSA_SHA224: &[u8] = [96, 134, 72, 1, 101, 3, 4, 3, 1].as_slice(); 197 // The first octet represents a constructed sequence (i.e., 0x30) and the second octet represents 198 // the (possibly encoded) length of the remaining payload. 199 cert.split_at_checked(2).and_then(|(cert_seq, cert_rem)| { 200 // This won't `panic` since `cert_seq.len() == 2`. 201 // This represents the (possibly encoded) length. 202 // 203 // We don't care about the actual length of the payload. We only care about the number of bytes 204 // we need to skip until the (possibly encoded) length of the constructed sequence of 205 // tbsCertificate. 206 match cert_seq[1] { 207 // The length of the payload is represented with this byte; thus we only need to skip 208 // the constructed sequence byte (i.e., 0x30) of tbsCertificate. 209 ..=127 => Some(1), 210 // The length of the payload is invalid since DER-encoded lengths must use the minimum 211 // number of bytes possible. The high bit is set iff one or more octets are needed to encode 212 // the actual length. The number of octets is represented by the remaining bits; thus this 213 // means there are 0 bytes to encode the length, but then it should have been encoded as 214 // `0` and not `128`. 215 // 216 // 255 is not allowed to be used per § 8.1.3.5. 217 128 | 255 => None, 218 // The remaining bits represent the number of bytes that it takes to encode the length; 219 // thus we subtract 128 and add 1 to account for the constructed sequence byte (i.e., 0x30) 220 // of tbsCertificate. This is the same as just subtracting 127. 221 // 222 // Underflow clearly cannot occur since `len` is at least 129. 223 len @ 129.. => Some(usize::from(len) - 127), 224 } 225 .and_then(|skip| { 226 cert_rem.get(skip..).and_then(|tbs_rem_with_len| { 227 // Remaining payload starting from the (possibly encoded) length of tbsCertificate. 228 tbs_rem_with_len 229 // Extract the (possibly encoded) length of tbsCertificate. 230 .split_first() 231 .and_then(|(tbs_enc_len, tbs_rem)| { 232 // We need to extract how many bytes make up tbsCertificate that way 233 // we can skip it and get to the (possibly encoded) length of 234 // signatureAlgorithm. 235 match *tbs_enc_len { 236 // tbsCertificate is encoded in `len` bytes. We need to skip that many 237 // bytes taking into account the constructed sequence byte (i.e., 0x30) 238 // of signatureAlgorithm. 239 // 240 // This won't overflow since `len` is at most 127; thus this maxes at 128 241 // which is <= `usize::MAX`. 242 len @ ..=127 => Some(usize::from(len) + 1), 243 // The number of bytes tbsCertificate is encoded in takes 1 byte to encode 244 // We get that one byte since that is how many bytes we need to skip taking 245 // into account the byte and the constructed sequence byte (i.e., 0x30) of 246 // signatureAlgorithm. 247 // 248 // This won't overflow since this maxes at 255 + 2 = 257 <= usize::MAX. 249 129 => tbs_rem.first().map(|len| usize::from(*len) + 2), 250 // The number of bytes tbsCertificate is encoded in takes 2 bytes to encode. 251 // We get the two bytes since that is how many bytes we need to skip. 252 130 => tbs_rem.get(..2).and_then(|enc_len| { 253 let mut big_endian_len = [0; 2]; 254 // This won't `panic` since `enc_len.len() == 2`. 255 big_endian_len.copy_from_slice(enc_len); 256 // Multi-byte lengths are encoded in big-endian. 257 u16::from_be_bytes(big_endian_len) 258 // We need to account for the two bytes and the constructed sequence byte 259 // (i.e., 0x30) of signatureAlgorithm. 260 .checked_add(3) 261 // We don't support payloads larger than 65,535 since that is more than 262 // enough for a single certificate. 263 .map(usize::from) 264 }), 265 // We arbitrarily cap the size of payloads we accept to simplify decoding. 266 // If this is more than 130, then the payload is at least 16,777,216 bytes 267 // which is obscenely large for a single certificate. 128 is invalid. 268 _ => None, 269 } 270 .and_then(|tbs_len| { 271 tbs_rem.get(tbs_len..).and_then(|alg_rem_with_len| { 272 // Remaining payload starting from the (possibly encoded) length of 273 // signatureAlgorithm. 274 alg_rem_with_len 275 // Extract the (possibly encoded) length of signatureAlgorithm. 276 .split_first() 277 .and_then(|(alg_enc_len, alg_rem)| { 278 // We need to extract how many bytes make up signatureAlgorithm that way 279 // we can skip it and get to the (possibly encoded) length of algorithm. 280 match *alg_enc_len { 281 // The length of the payload is represented with this byte; thus we 282 // only need to skip the object identifier byte (i.e., 0x06) of 283 // algorithm. 284 ..=127 => Some(1), 285 // The length of the payload is invalid. 286 128 | 255 => None, 287 // The remaining bits represents the number of bytes that it takes to 288 // encode the length; thus we subtract 128 and add 1 to account for 289 // the object identifier byte (i.e., 0x06) of algorithm. 290 // This is the same as just subtracting 127. 291 // 292 // Underflow clearly cannot occur since `len` is at least 129. 293 len @ 129.. => Some(usize::from(len) - 127), 294 } 295 .and_then( 296 |alg_skip| { 297 alg_rem.get(alg_skip..).and_then(|oid_rem| { 298 // Remaining payload starting from the (possibly encoded) 299 // length of algorithm, and we extract the 300 // (possibly encoded) length of algorithm. 301 oid_rem.split_first().and_then( 302 |(oid_enc_len, rem)| { 303 // Extract the algorithm. 304 // Recall we don't care if the certificate is 305 // invalid, and we only support algorithms of 306 // length at most 127. As a result, we treat 307 // `oid_enc_len` as is. 308 rem.get(..usize::from(*oid_enc_len)) 309 .and_then(|oid| match oid { 310 ED25519 | ECDSA_SHA256 311 | RSA_SHA256 | DSA_SHA256 312 // [RFC 5929 § 4.1](https://www.rfc-editor.org/rfc/rfc5929#section-4.1) 313 // mandates that SHA-1 based signatures 314 // use SHA-256. 315 | DSA_SHA1 | RSA_SHA1 => { 316 Some(Self::Sha256( 317 Sha256::digest( 318 cert, 319 ), 320 )) 321 } 322 ECDSA_SHA384 323 | RSA_SHA384 => { 324 Some(Self::Sha384( 325 Sha384::digest( 326 cert, 327 ), 328 )) 329 } 330 ECDSA_SHA512 331 | RSA_SHA512 => { 332 Some(Self::Sha512( 333 Sha512::digest( 334 cert, 335 ), 336 )) 337 } 338 ECDSA_SHA224 339 | RSA_SHA224 340 | DSA_SHA224 => { 341 Some(Self::Sha224( 342 Sha224::digest( 343 cert, 344 ), 345 )) 346 } 347 _ => None, 348 }) 349 }, 350 ) 351 }) 352 }, 353 ) 354 }) 355 }) 356 }) 357 }) 358 }) 359 }) 360 }) 361 } 362 } 363 /// The [`TlsConnector::Stream`] returned from [`TlsConnectorFuture::poll`]. 364 pub struct TlsStream<S>(RustlsStream<S>); 365 impl<S: AsyncRead + AsyncWrite + Unpin> AsyncRead for TlsStream<S> { 366 #[inline] 367 fn poll_read( 368 mut self: Pin<&mut Self>, 369 cx: &mut Context<'_>, 370 buf: &mut ReadBuf<'_>, 371 ) -> Poll<io::Result<()>> { 372 Pin::new(&mut self.0).poll_read(cx, buf) 373 } 374 } 375 impl<S: AsyncRead + AsyncWrite + Unpin> AsyncWrite for TlsStream<S> { 376 #[inline] 377 fn poll_write( 378 mut self: Pin<&mut Self>, 379 cx: &mut Context<'_>, 380 buf: &[u8], 381 ) -> Poll<Result<usize, io::Error>> { 382 Pin::new(&mut self.0).poll_write(cx, buf) 383 } 384 #[inline] 385 fn poll_flush(mut self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<Result<(), io::Error>> { 386 Pin::new(&mut self.0).poll_flush(cx) 387 } 388 #[inline] 389 fn poll_shutdown( 390 mut self: Pin<&mut Self>, 391 cx: &mut Context<'_>, 392 ) -> Poll<Result<(), io::Error>> { 393 Pin::new(&mut self.0).poll_shutdown(cx) 394 } 395 #[inline] 396 fn poll_write_vectored( 397 mut self: Pin<&mut Self>, 398 cx: &mut Context<'_>, 399 bufs: &[IoSlice<'_>], 400 ) -> Poll<Result<usize, io::Error>> { 401 Pin::new(&mut self.0).poll_write_vectored(cx, bufs) 402 } 403 #[inline] 404 fn is_write_vectored(&self) -> bool { 405 self.0.is_write_vectored() 406 } 407 } 408 impl<S: AsyncRead + AsyncWrite + Unpin> PgTlsStream for TlsStream<S> { 409 /// Returns the [`ChannelBinding`] based on the X.509 v3 certificate sent from the PostgreSQL server. 410 /// 411 /// Note when this returns [`ChannelBinding::tls_server_end_point`], it _does not_ mean the certificate 412 /// is valid. In certain circumstances, this will return that even for an invalid certificate. This should 413 /// not matter since the certificate being invalid will cause the certificate to be rejected anyway. When 414 /// the certificate is valid and uses a supported signature algorithm, then this will always return the 415 /// correct value. 416 /// 417 /// The only supported signature algorithms are the following: 418 /// 419 /// * id-Ed25519 420 /// * ecdsa-with-SHA256 421 /// * sha256WithRSAEncryption 422 /// * ecdsa-with-SHA384 423 /// * sha384WithRSAEncryption 424 /// * ecdsa-with-SHA512 425 /// * sha512WithRSAEncryption 426 /// * ecdsa-with-SHA224 427 /// * sha224WithRSAEncryption 428 /// * dsa-with-SHA256 429 /// * dsa-with-SHA224 430 /// * dsa-with-SHA1 431 /// * sha1WithRSAEncryption 432 /// 433 /// Note it is strongly recommended that TLS 1.3 be used; thus while signature algorithms that are not 434 /// part of TLS 1.3 are supported, you should avoid them. 435 /// See [RFC 9266 § 4.2](https://www.rfc-editor.org/rfc/rfc9266#section-4.2). 436 /// Additionally some of the supported signature algorithms may not be supported by PostgreSQL 437 /// (e.g., id-Ed25519). 438 #[expect(clippy::doc_markdown, reason = "PostgreSQL is correct")] 439 #[inline] 440 fn channel_binding(&self) -> ChannelBinding { 441 self.0 442 .get_ref() 443 .1 444 .peer_certificates() 445 .and_then(|certs| { 446 certs.first().and_then(|fst| { 447 Hash::from_der_cert(fst) 448 .map(|hash| ChannelBinding::tls_server_end_point(hash.into())) 449 }) 450 }) 451 .unwrap_or_else(ChannelBinding::none) 452 } 453 } 454 /// [`TlsConnector::Future`] returned from [`TlsConnector::connect`]. 455 pub struct TlsConnectorFuture<S>(Connect<S>); 456 impl<S: AsyncRead + AsyncWrite + Unpin> Future for TlsConnectorFuture<S> { 457 type Output = io::Result<TlsStream<S>>; 458 #[inline] 459 fn poll(mut self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<Self::Output> { 460 Pin::new(&mut self.0).poll(cx).map_ok(TlsStream) 461 } 462 } 463 /// Connects to the PostgreSQL server. 464 #[expect(clippy::doc_markdown, reason = "PostgreSQL is correct")] 465 pub struct TlsConnector<'domain> { 466 /// Used to connect to the PostgreSQL server. 467 #[expect(clippy::doc_markdown, reason = "PostgreSQL is correct")] 468 connector: tokio_rustls::TlsConnector, 469 /// The domain or IP of the PostgreSQL server. 470 #[expect(clippy::doc_markdown, reason = "PostgreSQL is correct")] 471 dom: ServerName<'domain>, 472 } 473 impl<'domain> TlsConnector<'domain> { 474 /// Returns `Self` based on `connector` and `domain`. 475 /// 476 /// # Errors 477 /// 478 /// Errors iff [`ServerName::try_from`] does when passed `domain`. 479 #[inline] 480 pub fn new<'dom: 'domain>( 481 connector: tokio_rustls::TlsConnector, 482 domain: &'dom str, 483 ) -> Result<Self, InvalidDnsNameError> { 484 ServerName::try_from(domain).map(|dom| Self { connector, dom }) 485 } 486 } 487 impl<S: AsyncRead + AsyncWrite + Unpin> PgTlsConnect<S> for TlsConnector<'static> { 488 type Stream = TlsStream<S>; 489 type Error = io::Error; 490 type Future = TlsConnectorFuture<S>; 491 #[inline] 492 fn connect(self, stream: S) -> Self::Future { 493 TlsConnectorFuture(self.connector.connect(self.dom, stream)) 494 } 495 } 496 /// [`MakeTlsConnect`] based on [`tokio_rustls::TlsConnector`]. 497 #[cfg_attr(docsrs, doc(cfg(feature = "runtime")))] 498 #[cfg(feature = "runtime")] 499 #[derive(Clone)] 500 pub struct MakeTlsConnector(tokio_rustls::TlsConnector); 501 #[cfg(feature = "runtime")] 502 impl MakeTlsConnector { 503 /// Constructs `Self` based on `connector`. 504 #[inline] 505 #[must_use] 506 pub const fn new(connector: tokio_rustls::TlsConnector) -> Self { 507 Self(connector) 508 } 509 } 510 #[cfg(feature = "runtime")] 511 impl<S: AsyncRead + AsyncWrite + Unpin> MakeTlsConnect<S> for MakeTlsConnector { 512 type Stream = TlsStream<S>; 513 type TlsConnect = TlsConnector<'static>; 514 type Error = InvalidDnsNameError; 515 #[inline] 516 fn make_tls_connect(&mut self, domain: &str) -> Result<Self::TlsConnect, Self::Error> { 517 ServerName::try_from(domain).map(|dom| TlsConnector { 518 connector: self.0.clone(), 519 dom: dom.to_owned(), 520 }) 521 } 522 } 523 /// Removes any ALPN values and adds the `b"postgresql"` ALPN. 524 #[inline] 525 pub fn set_postgresql_alpn(config: &mut ClientConfig) { 526 config.alpn_protocols.clear(); 527 config.alpn_protocols.push(vec![ 528 b'p', b'o', b's', b't', b'g', b'r', b'e', b's', b'q', b'l', 529 ]); 530 } 531 #[cfg(test)] 532 mod tests { 533 #[cfg(feature = "runtime")] 534 extern crate alloc; 535 use super::Hash; 536 #[cfg(feature = "runtime")] 537 use super::MakeTlsConnector; 538 #[cfg(feature = "runtime")] 539 use alloc::sync::Arc; 540 #[cfg(feature = "runtime")] 541 use core::{ 542 net::{IpAddr, Ipv6Addr}, 543 time::Duration, 544 }; 545 use sha2::{Digest as _, Sha224, Sha256, Sha384, Sha512}; 546 #[cfg(feature = "runtime")] 547 use std::{fs, io::Error}; 548 #[cfg(feature = "runtime")] 549 use tokio::runtime::Builder; 550 #[cfg(feature = "runtime")] 551 use tokio_postgres::{ 552 Config, 553 config::{ChannelBinding, LoadBalanceHosts, SslMode, TargetSessionAttrs}, 554 }; 555 #[cfg(feature = "runtime")] 556 use tokio_rustls::rustls::{ 557 self, ClientConfig, RootCertStore, 558 pki_types::{ 559 CertificateDer, PrivateKeyDer, 560 pem::{Error as PemErr, PemObject as _}, 561 }, 562 version::TLS13, 563 }; 564 #[test] 565 fn test_parse_ed25519() { 566 /// Certificate that uses Ed25519. 567 const CERT: &[u8] = [ 568 48, 130, 1, 125, 48, 130, 1, 47, 160, 3, 2, 1, 2, 2, 1, 29, 48, 5, 6, 3, 43, 101, 112, 569 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 16, 48, 14, 6, 3, 85, 4, 10, 570 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 82, 111, 571 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 48, 52, 56, 48, 53, 90, 23, 13, 572 50, 53, 48, 51, 49, 54, 48, 48, 52, 56, 48, 53, 90, 48, 43, 49, 11, 48, 9, 6, 3, 85, 4, 573 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 84, 101, 115, 116, 49, 13, 574 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 42, 48, 5, 6, 3, 43, 101, 112, 3, 575 33, 0, 142, 168, 95, 146, 122, 142, 177, 52, 239, 161, 27, 41, 80, 58, 167, 248, 211, 576 181, 154, 201, 26, 195, 207, 27, 132, 228, 110, 149, 95, 212, 44, 202, 163, 117, 48, 577 115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 238, 12, 127, 172, 94, 237, 69, 62, 240, 578 99, 1, 2, 35, 161, 201, 129, 19, 85, 0, 227, 48, 12, 6, 3, 85, 29, 19, 1, 1, 255, 4, 2, 579 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85, 29, 37, 1, 1, 580 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29, 35, 4, 24, 48, 581 22, 128, 20, 199, 177, 144, 22, 54, 182, 183, 202, 234, 246, 98, 108, 85, 32, 30, 132, 582 146, 221, 218, 80, 48, 5, 6, 3, 43, 101, 112, 3, 65, 0, 133, 253, 192, 202, 50, 167, 583 57, 5, 246, 17, 58, 232, 188, 41, 147, 232, 35, 206, 147, 181, 0, 139, 95, 3, 24, 139, 584 17, 102, 113, 186, 146, 163, 97, 157, 255, 50, 193, 230, 159, 170, 218, 35, 56, 99, 89, 585 251, 173, 97, 106, 15, 52, 71, 209, 69, 109, 216, 140, 235, 37, 23, 185, 173, 215, 0, 586 ] 587 .as_slice(); 588 assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash { 589 Hash::Sha256(ref hash) => *hash == Sha256::digest(CERT), 590 _ => false, 591 }),); 592 } 593 #[test] 594 fn test_parse_ecdsa_sha256() { 595 /// Certificate that uses ECDSA with SHA-256. 596 const CERT: &[u8] = [ 597 48, 130, 1, 189, 48, 130, 1, 99, 160, 3, 2, 1, 2, 2, 1, 27, 48, 10, 6, 8, 42, 134, 72, 598 206, 61, 4, 3, 2, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 16, 48, 14, 599 6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 3, 85, 4, 3, 600 12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 48, 52, 49, 51, 601 48, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 48, 52, 49, 51, 48, 90, 48, 43, 49, 11, 48, 602 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 84, 101, 115, 603 116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 89, 48, 19, 6, 7, 604 42, 134, 72, 206, 61, 2, 1, 6, 8, 42, 134, 72, 206, 61, 3, 1, 7, 3, 66, 0, 4, 195, 27, 605 22, 133, 220, 98, 146, 255, 201, 209, 114, 117, 93, 119, 207, 46, 228, 132, 210, 187, 606 134, 197, 201, 194, 147, 51, 111, 17, 187, 179, 129, 180, 129, 62, 164, 27, 199, 95, 607 59, 16, 167, 134, 233, 53, 127, 194, 187, 144, 193, 106, 100, 37, 104, 219, 164, 155, 608 58, 210, 106, 12, 192, 247, 72, 183, 163, 117, 48, 115, 48, 29, 6, 3, 85, 29, 14, 4, 609 22, 4, 20, 84, 214, 179, 28, 250, 191, 223, 88, 72, 221, 229, 63, 123, 177, 146, 167, 610 224, 18, 24, 0, 48, 12, 6, 3, 85, 29, 19, 1, 1, 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 611 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85, 29, 37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43, 612 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29, 35, 4, 24, 48, 22, 128, 20, 43, 80, 133, 613 205, 3, 144, 105, 186, 141, 39, 47, 176, 39, 123, 149, 250, 100, 138, 233, 225, 48, 10, 614 6, 8, 42, 134, 72, 206, 61, 4, 3, 2, 3, 72, 0, 48, 69, 2, 32, 107, 43, 12, 27, 111, 615 216, 19, 191, 199, 1, 202, 22, 147, 43, 16, 188, 36, 156, 141, 80, 115, 124, 160, 211, 616 19, 123, 41, 216, 94, 19, 236, 0, 2, 33, 0, 164, 138, 200, 40, 159, 245, 38, 70, 207, 617 160, 121, 19, 56, 240, 18, 222, 191, 196, 217, 129, 24, 92, 238, 43, 39, 29, 57, 85, 618 56, 11, 178, 88, 619 ] 620 .as_slice(); 621 assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash { 622 Hash::Sha256(ref hash) => *hash == Sha256::digest(CERT), 623 _ => false, 624 }),); 625 } 626 #[test] 627 fn test_parse_ecdsa_sha384() { 628 /// Certificate that uses ECDSA with SHA-384. 629 const CERT: &[u8] = [ 630 48, 130, 1, 218, 48, 130, 1, 128, 160, 3, 2, 1, 2, 2, 1, 25, 48, 10, 6, 8, 42, 134, 72, 631 206, 61, 4, 3, 3, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 16, 48, 14, 632 6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 3, 85, 4, 3, 633 12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 48, 51, 57, 51, 634 55, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 48, 51, 57, 51, 55, 90, 48, 43, 49, 11, 48, 635 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 84, 101, 115, 636 116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 118, 48, 16, 6, 7, 637 42, 134, 72, 206, 61, 2, 1, 6, 5, 43, 129, 4, 0, 34, 3, 98, 0, 4, 246, 106, 156, 228, 638 83, 166, 254, 62, 196, 22, 127, 171, 204, 182, 154, 182, 253, 35, 95, 120, 253, 231, 639 78, 20, 146, 203, 186, 201, 147, 48, 197, 96, 195, 202, 5, 235, 201, 168, 28, 117, 62, 640 47, 121, 211, 58, 67, 32, 96, 129, 15, 215, 172, 135, 222, 180, 101, 196, 18, 41, 107, 641 6, 161, 172, 183, 217, 106, 227, 24, 140, 13, 145, 245, 137, 185, 4, 78, 210, 56, 235, 642 159, 203, 241, 203, 239, 39, 90, 98, 227, 215, 221, 119, 65, 47, 68, 2, 200, 163, 117, 643 48, 115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 88, 91, 22, 70, 200, 54, 182, 100, 644 191, 186, 73, 152, 174, 87, 56, 64, 26, 173, 27, 43, 48, 12, 6, 3, 85, 29, 19, 1, 1, 645 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85, 29, 646 37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29, 35, 647 4, 24, 48, 22, 128, 20, 43, 80, 133, 205, 3, 144, 105, 186, 141, 39, 47, 176, 39, 123, 648 149, 250, 100, 138, 233, 225, 48, 10, 6, 8, 42, 134, 72, 206, 61, 4, 3, 3, 3, 72, 0, 649 48, 69, 2, 33, 0, 210, 47, 45, 107, 132, 43, 161, 65, 132, 15, 148, 184, 203, 125, 234, 650 232, 111, 216, 238, 113, 187, 201, 114, 177, 218, 234, 201, 126, 204, 118, 80, 225, 2, 651 32, 67, 111, 72, 96, 182, 167, 191, 130, 118, 105, 253, 133, 58, 38, 65, 112, 234, 3, 652 23, 77, 182, 0, 195, 80, 181, 65, 76, 243, 4, 145, 200, 255, 653 ] 654 .as_slice(); 655 assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash { 656 Hash::Sha384(ref hash) => *hash == Sha384::digest(CERT), 657 _ => false, 658 }),); 659 } 660 #[test] 661 fn test_parse_ecdsa_sha512() { 662 /// Certificate that uses ECDSA with SHA-512. 663 const CERT: &[u8] = [ 664 48, 130, 2, 1, 48, 130, 1, 166, 160, 3, 2, 1, 2, 2, 1, 24, 48, 10, 6, 8, 42, 134, 72, 665 206, 61, 4, 3, 4, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 16, 48, 14, 666 6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 3, 85, 4, 3, 667 12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 48, 51, 56, 51, 668 54, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 48, 51, 56, 51, 54, 90, 48, 43, 49, 11, 48, 669 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 84, 101, 115, 670 116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 129, 155, 48, 16, 6, 671 7, 42, 134, 72, 206, 61, 2, 1, 6, 5, 43, 129, 4, 0, 35, 3, 129, 134, 0, 4, 1, 86, 143, 672 210, 217, 20, 143, 103, 172, 34, 97, 62, 173, 15, 43, 199, 93, 220, 81, 75, 137, 219, 673 111, 217, 127, 6, 8, 115, 160, 121, 146, 138, 64, 110, 14, 193, 98, 164, 226, 208, 89, 674 120, 108, 30, 107, 77, 194, 63, 41, 112, 173, 112, 44, 85, 54, 155, 168, 189, 235, 129, 675 214, 104, 152, 198, 252, 62, 1, 87, 193, 205, 162, 152, 15, 26, 111, 231, 183, 106, 676 145, 29, 251, 188, 148, 239, 192, 53, 186, 34, 13, 104, 231, 85, 127, 17, 67, 54, 116, 677 232, 85, 23, 143, 68, 171, 30, 25, 155, 201, 171, 106, 89, 20, 234, 12, 192, 68, 102, 678 166, 50, 246, 130, 117, 62, 222, 142, 98, 62, 43, 9, 109, 74, 138, 180, 163, 117, 48, 679 115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 148, 160, 104, 250, 171, 155, 48, 171, 13, 680 164, 221, 144, 240, 194, 250, 9, 183, 72, 158, 141, 48, 12, 6, 3, 85, 29, 19, 1, 1, 681 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85, 29, 682 37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29, 35, 683 4, 24, 48, 22, 128, 20, 43, 80, 133, 205, 3, 144, 105, 186, 141, 39, 47, 176, 39, 123, 684 149, 250, 100, 138, 233, 225, 48, 10, 6, 8, 42, 134, 72, 206, 61, 4, 3, 4, 3, 73, 0, 685 48, 70, 2, 33, 0, 179, 24, 50, 50, 127, 141, 167, 197, 29, 35, 234, 81, 215, 112, 233, 686 218, 84, 151, 136, 117, 40, 106, 164, 156, 205, 75, 6, 133, 64, 52, 161, 116, 2, 33, 0, 687 141, 178, 46, 201, 22, 126, 42, 84, 96, 191, 175, 219, 140, 72, 252, 6, 152, 112, 113, 688 232, 38, 101, 11, 215, 20, 143, 22, 199, 38, 237, 179, 108, 689 ] 690 .as_slice(); 691 assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash { 692 Hash::Sha512(ref hash) => *hash == Sha512::digest(CERT), 693 _ => false, 694 }),); 695 } 696 #[test] 697 fn test_parse_ecdsa_sha224() { 698 /// Certificate that uses ECDSA with SHA-224. 699 const CERT: &[u8] = [ 700 48, 130, 1, 178, 48, 130, 1, 88, 160, 3, 2, 1, 2, 2, 1, 28, 48, 10, 6, 8, 42, 134, 72, 701 206, 61, 4, 3, 1, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 16, 48, 14, 702 6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 3, 85, 4, 3, 703 12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 48, 52, 50, 49, 704 52, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 48, 52, 50, 49, 52, 90, 48, 43, 49, 11, 48, 705 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 84, 101, 115, 706 116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 78, 48, 16, 6, 7, 707 42, 134, 72, 206, 61, 2, 1, 6, 5, 43, 129, 4, 0, 33, 3, 58, 0, 4, 235, 241, 149, 78, 708 60, 248, 123, 132, 195, 228, 188, 151, 240, 28, 76, 198, 207, 121, 165, 126, 245, 158, 709 214, 232, 69, 198, 114, 117, 86, 137, 15, 86, 40, 171, 27, 36, 8, 43, 190, 138, 193, 710 136, 118, 43, 29, 119, 182, 21, 14, 123, 110, 81, 81, 72, 44, 195, 163, 117, 48, 115, 711 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 203, 141, 20, 54, 48, 176, 180, 57, 46, 1, 91, 712 221, 116, 154, 205, 81, 187, 184, 24, 211, 48, 12, 6, 3, 85, 29, 19, 1, 1, 255, 4, 2, 713 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85, 29, 37, 1, 1, 714 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29, 35, 4, 24, 48, 715 22, 128, 20, 43, 80, 133, 205, 3, 144, 105, 186, 141, 39, 47, 176, 39, 123, 149, 250, 716 100, 138, 233, 225, 48, 10, 6, 8, 42, 134, 72, 206, 61, 4, 3, 1, 3, 72, 0, 48, 69, 2, 717 32, 64, 186, 179, 226, 82, 176, 87, 158, 166, 22, 31, 27, 19, 190, 112, 167, 241, 159, 718 33, 198, 60, 70, 68, 120, 19, 63, 33, 244, 236, 240, 216, 181, 2, 33, 0, 252, 183, 115, 719 52, 189, 151, 44, 178, 62, 209, 159, 31, 154, 152, 69, 189, 121, 148, 57, 231, 27, 22, 720 165, 212, 65, 202, 124, 15, 53, 150, 93, 183, 721 ] 722 .as_slice(); 723 assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash { 724 Hash::Sha224(ref hash) => *hash == Sha224::digest(CERT), 725 _ => false, 726 }),); 727 } 728 #[test] 729 fn test_parse_rsa_sha256() { 730 /// Certificate that uses RSA with SHA-256. 731 const CERT: &[u8] = [ 732 48, 130, 3, 73, 48, 130, 2, 49, 160, 3, 2, 1, 2, 2, 1, 31, 48, 13, 6, 9, 42, 134, 72, 733 134, 247, 13, 1, 1, 11, 5, 0, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 734 16, 48, 14, 6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 735 3, 85, 4, 3, 12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 49, 736 48, 51, 48, 53, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 49, 48, 51, 48, 53, 90, 48, 43, 737 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 738 84, 101, 115, 116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 130, 739 1, 34, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 1, 5, 0, 3, 130, 1, 15, 0, 48, 740 130, 1, 10, 2, 130, 1, 1, 0, 157, 28, 83, 190, 61, 252, 154, 205, 112, 191, 153, 197, 741 22, 159, 92, 161, 84, 84, 181, 67, 218, 26, 189, 52, 245, 184, 150, 248, 142, 15, 214, 742 118, 205, 243, 107, 45, 103, 205, 9, 198, 129, 115, 7, 195, 115, 131, 34, 244, 217, 42, 743 234, 170, 84, 41, 128, 49, 81, 175, 208, 42, 100, 168, 44, 145, 226, 11, 98, 245, 83, 744 134, 213, 30, 76, 239, 43, 82, 222, 175, 254, 135, 124, 16, 218, 105, 159, 219, 43, 8, 745 109, 1, 228, 16, 190, 160, 28, 100, 120, 245, 100, 164, 45, 128, 181, 238, 152, 227, 746 50, 63, 162, 191, 4, 173, 210, 254, 31, 141, 66, 193, 237, 20, 92, 34, 13, 74, 135, 80, 747 201, 12, 158, 51, 54, 91, 53, 97, 115, 212, 97, 6, 160, 45, 77, 40, 165, 55, 128, 230, 748 105, 31, 76, 197, 211, 111, 197, 169, 167, 136, 2, 249, 117, 65, 127, 163, 217, 169, 749 151, 97, 209, 194, 179, 203, 81, 58, 52, 66, 11, 184, 172, 97, 70, 124, 125, 151, 159, 750 102, 224, 24, 159, 233, 169, 95, 66, 17, 180, 69, 48, 233, 5, 250, 37, 55, 35, 200, 751 212, 225, 197, 240, 19, 22, 106, 101, 171, 190, 135, 3, 75, 157, 240, 149, 107, 208, 752 94, 58, 244, 204, 105, 9, 32, 203, 162, 194, 39, 12, 97, 16, 153, 236, 60, 93, 24, 252, 753 103, 231, 164, 19, 55, 233, 181, 103, 135, 187, 40, 202, 210, 125, 88, 73, 2, 3, 1, 0, 754 1, 163, 117, 48, 115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 91, 156, 56, 249, 82, 5, 755 5, 2, 2, 21, 57, 237, 90, 8, 188, 55, 139, 113, 229, 132, 48, 12, 6, 3, 85, 29, 19, 1, 756 1, 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85, 757 29, 37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29, 758 35, 4, 24, 48, 22, 128, 20, 96, 178, 34, 145, 205, 104, 56, 196, 211, 241, 34, 247, 759 125, 194, 215, 110, 191, 133, 151, 15, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 760 11, 5, 0, 3, 130, 1, 1, 0, 28, 109, 109, 197, 99, 197, 36, 180, 154, 215, 173, 215, 24, 761 94, 47, 218, 147, 163, 179, 123, 248, 3, 144, 109, 173, 207, 49, 113, 249, 188, 31, 762 178, 16, 88, 88, 56, 11, 86, 127, 193, 23, 165, 65, 190, 84, 170, 156, 190, 52, 87, 763 119, 213, 106, 184, 11, 204, 151, 148, 205, 100, 233, 46, 170, 45, 161, 100, 58, 46, 764 105, 25, 150, 78, 146, 41, 100, 125, 203, 214, 238, 104, 251, 25, 183, 66, 102, 241, 765 110, 56, 55, 205, 122, 234, 205, 90, 91, 247, 143, 129, 217, 6, 190, 120, 18, 190, 11, 766 121, 207, 142, 170, 57, 236, 243, 113, 53, 167, 188, 26, 134, 175, 107, 195, 48, 119, 767 78, 117, 157, 104, 247, 65, 122, 153, 234, 166, 88, 142, 228, 25, 120, 243, 51, 111, 8, 768 43, 199, 255, 162, 186, 18, 64, 54, 96, 44, 138, 144, 237, 89, 176, 189, 245, 194, 96, 769 232, 196, 0, 50, 51, 98, 32, 163, 177, 130, 113, 41, 116, 33, 40, 190, 111, 79, 108, 770 107, 159, 65, 87, 222, 173, 170, 39, 29, 97, 240, 107, 130, 101, 247, 123, 85, 123, 771 247, 221, 89, 159, 114, 157, 35, 153, 22, 127, 149, 224, 158, 236, 4, 137, 193, 135, 772 136, 97, 222, 83, 232, 205, 148, 127, 139, 78, 220, 10, 183, 139, 205, 190, 181, 36, 773 61, 155, 88, 163, 50, 120, 153, 41, 182, 75, 219, 95, 25, 40, 229, 106, 87, 215, 77, 774 50, 219, 97, 775 ] 776 .as_slice(); 777 assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash { 778 Hash::Sha256(ref hash) => *hash == Sha256::digest(CERT), 779 _ => false, 780 }),); 781 } 782 #[test] 783 fn test_parse_rsa_sha384() { 784 /// Certificate that uses RSA with SHA-384. 785 const CERT: &[u8] = [ 786 48, 130, 3, 73, 48, 130, 2, 49, 160, 3, 2, 1, 2, 2, 1, 32, 48, 13, 6, 9, 42, 134, 72, 787 134, 247, 13, 1, 1, 12, 5, 0, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 788 16, 48, 14, 6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 789 3, 85, 4, 3, 12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 49, 790 48, 53, 52, 54, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 49, 48, 53, 52, 54, 90, 48, 43, 791 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 792 84, 101, 115, 116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 130, 793 1, 34, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 1, 5, 0, 3, 130, 1, 15, 0, 48, 794 130, 1, 10, 2, 130, 1, 1, 0, 157, 28, 83, 190, 61, 252, 154, 205, 112, 191, 153, 197, 795 22, 159, 92, 161, 84, 84, 181, 67, 218, 26, 189, 52, 245, 184, 150, 248, 142, 15, 214, 796 118, 205, 243, 107, 45, 103, 205, 9, 198, 129, 115, 7, 195, 115, 131, 34, 244, 217, 42, 797 234, 170, 84, 41, 128, 49, 81, 175, 208, 42, 100, 168, 44, 145, 226, 11, 98, 245, 83, 798 134, 213, 30, 76, 239, 43, 82, 222, 175, 254, 135, 124, 16, 218, 105, 159, 219, 43, 8, 799 109, 1, 228, 16, 190, 160, 28, 100, 120, 245, 100, 164, 45, 128, 181, 238, 152, 227, 800 50, 63, 162, 191, 4, 173, 210, 254, 31, 141, 66, 193, 237, 20, 92, 34, 13, 74, 135, 80, 801 201, 12, 158, 51, 54, 91, 53, 97, 115, 212, 97, 6, 160, 45, 77, 40, 165, 55, 128, 230, 802 105, 31, 76, 197, 211, 111, 197, 169, 167, 136, 2, 249, 117, 65, 127, 163, 217, 169, 803 151, 97, 209, 194, 179, 203, 81, 58, 52, 66, 11, 184, 172, 97, 70, 124, 125, 151, 159, 804 102, 224, 24, 159, 233, 169, 95, 66, 17, 180, 69, 48, 233, 5, 250, 37, 55, 35, 200, 805 212, 225, 197, 240, 19, 22, 106, 101, 171, 190, 135, 3, 75, 157, 240, 149, 107, 208, 806 94, 58, 244, 204, 105, 9, 32, 203, 162, 194, 39, 12, 97, 16, 153, 236, 60, 93, 24, 252, 807 103, 231, 164, 19, 55, 233, 181, 103, 135, 187, 40, 202, 210, 125, 88, 73, 2, 3, 1, 0, 808 1, 163, 117, 48, 115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 91, 156, 56, 249, 82, 5, 809 5, 2, 2, 21, 57, 237, 90, 8, 188, 55, 139, 113, 229, 132, 48, 12, 6, 3, 85, 29, 19, 1, 810 1, 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85, 811 29, 37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29, 812 35, 4, 24, 48, 22, 128, 20, 96, 178, 34, 145, 205, 104, 56, 196, 211, 241, 34, 247, 813 125, 194, 215, 110, 191, 133, 151, 15, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 814 12, 5, 0, 3, 130, 1, 1, 0, 135, 249, 101, 184, 225, 162, 164, 193, 23, 81, 98, 221, 815 134, 87, 34, 94, 229, 131, 221, 17, 38, 61, 156, 200, 113, 94, 244, 188, 226, 84, 74, 816 96, 205, 237, 230, 242, 168, 238, 178, 133, 68, 188, 80, 244, 60, 42, 169, 54, 66, 79, 817 104, 66, 251, 27, 240, 108, 16, 46, 175, 62, 240, 194, 7, 181, 238, 211, 118, 149, 150, 818 46, 97, 39, 28, 173, 225, 49, 73, 206, 147, 101, 12, 192, 218, 119, 208, 73, 20, 208, 819 229, 216, 133, 213, 28, 165, 70, 20, 158, 114, 223, 40, 121, 13, 236, 218, 165, 237, 820 164, 196, 94, 80, 120, 49, 212, 241, 213, 197, 201, 104, 67, 223, 130, 148, 197, 251, 821 199, 167, 6, 89, 146, 139, 141, 32, 78, 72, 190, 146, 94, 251, 208, 47, 118, 173, 111, 822 92, 241, 102, 26, 233, 145, 46, 220, 230, 5, 147, 220, 92, 240, 133, 24, 192, 71, 49, 823 252, 84, 163, 132, 34, 139, 12, 106, 4, 189, 151, 37, 34, 123, 26, 42, 84, 46, 232, 14, 824 129, 101, 84, 26, 25, 219, 11, 115, 214, 106, 12, 75, 199, 248, 218, 239, 209, 32, 159, 825 40, 192, 11, 2, 175, 51, 232, 20, 8, 72, 188, 184, 177, 22, 251, 238, 42, 74, 21, 25, 826 93, 77, 184, 5, 207, 101, 98, 60, 214, 173, 169, 56, 54, 211, 167, 55, 34, 14, 184, 25, 827 4, 170, 108, 94, 110, 27, 45, 11, 22, 61, 130, 63, 214, 168, 72, 828 ] 829 .as_slice(); 830 assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash { 831 Hash::Sha384(ref hash) => *hash == Sha384::digest(CERT), 832 _ => false, 833 }),); 834 } 835 #[test] 836 fn test_parse_rsa_sha512() { 837 /// Certificate that uses RSA with SHA-512. 838 const CERT: &[u8] = [ 839 48, 130, 3, 73, 48, 130, 2, 49, 160, 3, 2, 1, 2, 2, 1, 33, 48, 13, 6, 9, 42, 134, 72, 840 134, 247, 13, 1, 1, 13, 5, 0, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 841 16, 48, 14, 6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 842 3, 85, 4, 3, 12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 49, 843 48, 54, 52, 53, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 49, 48, 54, 52, 53, 90, 48, 43, 844 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 845 84, 101, 115, 116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 130, 846 1, 34, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 1, 5, 0, 3, 130, 1, 15, 0, 48, 847 130, 1, 10, 2, 130, 1, 1, 0, 157, 28, 83, 190, 61, 252, 154, 205, 112, 191, 153, 197, 848 22, 159, 92, 161, 84, 84, 181, 67, 218, 26, 189, 52, 245, 184, 150, 248, 142, 15, 214, 849 118, 205, 243, 107, 45, 103, 205, 9, 198, 129, 115, 7, 195, 115, 131, 34, 244, 217, 42, 850 234, 170, 84, 41, 128, 49, 81, 175, 208, 42, 100, 168, 44, 145, 226, 11, 98, 245, 83, 851 134, 213, 30, 76, 239, 43, 82, 222, 175, 254, 135, 124, 16, 218, 105, 159, 219, 43, 8, 852 109, 1, 228, 16, 190, 160, 28, 100, 120, 245, 100, 164, 45, 128, 181, 238, 152, 227, 853 50, 63, 162, 191, 4, 173, 210, 254, 31, 141, 66, 193, 237, 20, 92, 34, 13, 74, 135, 80, 854 201, 12, 158, 51, 54, 91, 53, 97, 115, 212, 97, 6, 160, 45, 77, 40, 165, 55, 128, 230, 855 105, 31, 76, 197, 211, 111, 197, 169, 167, 136, 2, 249, 117, 65, 127, 163, 217, 169, 856 151, 97, 209, 194, 179, 203, 81, 58, 52, 66, 11, 184, 172, 97, 70, 124, 125, 151, 159, 857 102, 224, 24, 159, 233, 169, 95, 66, 17, 180, 69, 48, 233, 5, 250, 37, 55, 35, 200, 858 212, 225, 197, 240, 19, 22, 106, 101, 171, 190, 135, 3, 75, 157, 240, 149, 107, 208, 859 94, 58, 244, 204, 105, 9, 32, 203, 162, 194, 39, 12, 97, 16, 153, 236, 60, 93, 24, 252, 860 103, 231, 164, 19, 55, 233, 181, 103, 135, 187, 40, 202, 210, 125, 88, 73, 2, 3, 1, 0, 861 1, 163, 117, 48, 115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 91, 156, 56, 249, 82, 5, 862 5, 2, 2, 21, 57, 237, 90, 8, 188, 55, 139, 113, 229, 132, 48, 12, 6, 3, 85, 29, 19, 1, 863 1, 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85, 864 29, 37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29, 865 35, 4, 24, 48, 22, 128, 20, 96, 178, 34, 145, 205, 104, 56, 196, 211, 241, 34, 247, 866 125, 194, 215, 110, 191, 133, 151, 15, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 867 13, 5, 0, 3, 130, 1, 1, 0, 106, 7, 136, 82, 232, 55, 0, 98, 9, 211, 201, 57, 239, 67, 868 167, 139, 225, 164, 231, 255, 10, 52, 47, 234, 254, 75, 239, 241, 39, 6, 226, 209, 210, 869 169, 200, 32, 255, 83, 159, 23, 146, 9, 109, 173, 236, 216, 253, 199, 229, 23, 227, 33, 870 56, 98, 109, 59, 2, 167, 29, 118, 251, 82, 193, 39, 244, 191, 166, 194, 160, 105, 197, 871 190, 213, 141, 193, 50, 45, 245, 163, 229, 116, 221, 29, 194, 91, 198, 187, 21, 224, 872 95, 17, 203, 148, 160, 4, 15, 54, 249, 69, 12, 18, 25, 58, 190, 205, 44, 157, 184, 1, 873 25, 64, 219, 237, 196, 33, 101, 255, 146, 232, 112, 247, 214, 174, 252, 152, 146, 142, 874 231, 81, 35, 240, 216, 98, 136, 65, 179, 237, 207, 229, 198, 72, 175, 244, 31, 126, 875 106, 107, 100, 200, 81, 227, 41, 61, 26, 122, 226, 121, 219, 131, 212, 206, 238, 14, 876 210, 70, 60, 107, 115, 214, 67, 180, 133, 157, 114, 138, 63, 249, 71, 235, 41, 246, 14, 877 14, 4, 254, 208, 215, 111, 196, 248, 117, 61, 44, 67, 185, 11, 132, 10, 188, 220, 110, 878 78, 61, 171, 88, 172, 161, 1, 223, 52, 75, 101, 55, 249, 125, 178, 141, 127, 0, 246, 879 176, 34, 120, 93, 214, 37, 210, 148, 217, 149, 255, 63, 32, 58, 8, 71, 179, 62, 119, 880 14, 47, 191, 207, 137, 22, 255, 21, 71, 46, 42, 176, 31, 206, 146, 248, 105, 881 ] 882 .as_slice(); 883 assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash { 884 Hash::Sha512(ref hash) => *hash == Sha512::digest(CERT), 885 _ => false, 886 }),); 887 } 888 #[test] 889 fn test_parse_rsa_sha224() { 890 /// Certificate that uses RSA with SHA-224. 891 const CERT: &[u8] = [ 892 48, 130, 3, 73, 48, 130, 2, 49, 160, 3, 2, 1, 2, 2, 1, 30, 48, 13, 6, 9, 42, 134, 72, 893 134, 247, 13, 1, 1, 14, 5, 0, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 894 16, 48, 14, 6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 895 3, 85, 4, 3, 12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 48, 896 53, 57, 50, 56, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 48, 53, 57, 50, 56, 90, 48, 43, 897 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 898 84, 101, 115, 116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 130, 899 1, 34, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 1, 5, 0, 3, 130, 1, 15, 0, 48, 900 130, 1, 10, 2, 130, 1, 1, 0, 157, 28, 83, 190, 61, 252, 154, 205, 112, 191, 153, 197, 901 22, 159, 92, 161, 84, 84, 181, 67, 218, 26, 189, 52, 245, 184, 150, 248, 142, 15, 214, 902 118, 205, 243, 107, 45, 103, 205, 9, 198, 129, 115, 7, 195, 115, 131, 34, 244, 217, 42, 903 234, 170, 84, 41, 128, 49, 81, 175, 208, 42, 100, 168, 44, 145, 226, 11, 98, 245, 83, 904 134, 213, 30, 76, 239, 43, 82, 222, 175, 254, 135, 124, 16, 218, 105, 159, 219, 43, 8, 905 109, 1, 228, 16, 190, 160, 28, 100, 120, 245, 100, 164, 45, 128, 181, 238, 152, 227, 906 50, 63, 162, 191, 4, 173, 210, 254, 31, 141, 66, 193, 237, 20, 92, 34, 13, 74, 135, 80, 907 201, 12, 158, 51, 54, 91, 53, 97, 115, 212, 97, 6, 160, 45, 77, 40, 165, 55, 128, 230, 908 105, 31, 76, 197, 211, 111, 197, 169, 167, 136, 2, 249, 117, 65, 127, 163, 217, 169, 909 151, 97, 209, 194, 179, 203, 81, 58, 52, 66, 11, 184, 172, 97, 70, 124, 125, 151, 159, 910 102, 224, 24, 159, 233, 169, 95, 66, 17, 180, 69, 48, 233, 5, 250, 37, 55, 35, 200, 911 212, 225, 197, 240, 19, 22, 106, 101, 171, 190, 135, 3, 75, 157, 240, 149, 107, 208, 912 94, 58, 244, 204, 105, 9, 32, 203, 162, 194, 39, 12, 97, 16, 153, 236, 60, 93, 24, 252, 913 103, 231, 164, 19, 55, 233, 181, 103, 135, 187, 40, 202, 210, 125, 88, 73, 2, 3, 1, 0, 914 1, 163, 117, 48, 115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 91, 156, 56, 249, 82, 5, 915 5, 2, 2, 21, 57, 237, 90, 8, 188, 55, 139, 113, 229, 132, 48, 12, 6, 3, 85, 29, 19, 1, 916 1, 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85, 917 29, 37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29, 918 35, 4, 24, 48, 22, 128, 20, 96, 178, 34, 145, 205, 104, 56, 196, 211, 241, 34, 247, 919 125, 194, 215, 110, 191, 133, 151, 15, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 920 14, 5, 0, 3, 130, 1, 1, 0, 122, 121, 0, 201, 250, 195, 66, 213, 60, 117, 213, 188, 93, 921 193, 88, 130, 241, 219, 111, 238, 109, 38, 220, 131, 164, 12, 135, 169, 58, 140, 214, 922 211, 93, 51, 204, 242, 10, 119, 123, 23, 69, 67, 135, 151, 245, 23, 144, 61, 233, 229, 923 122, 189, 111, 89, 190, 100, 251, 86, 185, 246, 40, 121, 190, 192, 199, 119, 232, 209, 924 202, 23, 20, 46, 48, 235, 175, 240, 225, 106, 6, 24, 239, 172, 51, 196, 63, 189, 210, 925 167, 244, 87, 245, 193, 130, 33, 171, 165, 117, 180, 25, 250, 21, 6, 208, 124, 254, 64, 926 180, 50, 124, 234, 179, 121, 183, 0, 71, 118, 28, 115, 86, 117, 60, 96, 164, 33, 54, 1, 927 86, 234, 132, 146, 156, 221, 52, 28, 39, 237, 128, 75, 157, 169, 203, 26, 48, 74, 4, 928 129, 162, 139, 235, 16, 74, 236, 151, 0, 150, 234, 246, 204, 180, 240, 31, 92, 129, 51, 929 221, 118, 10, 192, 140, 32, 33, 21, 223, 113, 35, 86, 47, 236, 159, 252, 52, 185, 41, 930 151, 56, 126, 251, 165, 126, 214, 27, 213, 169, 211, 174, 26, 55, 21, 11, 187, 189, 96, 931 67, 141, 124, 178, 51, 37, 80, 17, 220, 210, 193, 243, 127, 46, 82, 75, 172, 187, 156, 932 222, 186, 3, 13, 194, 104, 234, 131, 96, 99, 34, 1, 61, 149, 219, 33, 227, 34, 215, 933 211, 82, 106, 57, 61, 185, 178, 1, 191, 14, 196, 52, 5, 38, 27, 232, 934 ] 935 .as_slice(); 936 assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash { 937 Hash::Sha224(ref hash) => *hash == Sha224::digest(CERT), 938 _ => false, 939 }),); 940 } 941 #[test] 942 fn test_parse_rsa_sha1() { 943 /// Certificate that uses RSA with SHA-1. 944 const CERT: &[u8] = [ 945 48, 130, 3, 73, 48, 130, 2, 49, 160, 3, 2, 1, 2, 2, 1, 34, 48, 13, 6, 9, 42, 134, 72, 946 134, 247, 13, 1, 1, 5, 5, 0, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 947 16, 48, 14, 6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 948 3, 85, 4, 3, 12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 49, 949 48, 57, 50, 56, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 49, 48, 57, 50, 56, 90, 48, 43, 950 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 951 84, 101, 115, 116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 130, 952 1, 34, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 1, 5, 0, 3, 130, 1, 15, 0, 48, 953 130, 1, 10, 2, 130, 1, 1, 0, 157, 28, 83, 190, 61, 252, 154, 205, 112, 191, 153, 197, 954 22, 159, 92, 161, 84, 84, 181, 67, 218, 26, 189, 52, 245, 184, 150, 248, 142, 15, 214, 955 118, 205, 243, 107, 45, 103, 205, 9, 198, 129, 115, 7, 195, 115, 131, 34, 244, 217, 42, 956 234, 170, 84, 41, 128, 49, 81, 175, 208, 42, 100, 168, 44, 145, 226, 11, 98, 245, 83, 957 134, 213, 30, 76, 239, 43, 82, 222, 175, 254, 135, 124, 16, 218, 105, 159, 219, 43, 8, 958 109, 1, 228, 16, 190, 160, 28, 100, 120, 245, 100, 164, 45, 128, 181, 238, 152, 227, 959 50, 63, 162, 191, 4, 173, 210, 254, 31, 141, 66, 193, 237, 20, 92, 34, 13, 74, 135, 80, 960 201, 12, 158, 51, 54, 91, 53, 97, 115, 212, 97, 6, 160, 45, 77, 40, 165, 55, 128, 230, 961 105, 31, 76, 197, 211, 111, 197, 169, 167, 136, 2, 249, 117, 65, 127, 163, 217, 169, 962 151, 97, 209, 194, 179, 203, 81, 58, 52, 66, 11, 184, 172, 97, 70, 124, 125, 151, 159, 963 102, 224, 24, 159, 233, 169, 95, 66, 17, 180, 69, 48, 233, 5, 250, 37, 55, 35, 200, 964 212, 225, 197, 240, 19, 22, 106, 101, 171, 190, 135, 3, 75, 157, 240, 149, 107, 208, 965 94, 58, 244, 204, 105, 9, 32, 203, 162, 194, 39, 12, 97, 16, 153, 236, 60, 93, 24, 252, 966 103, 231, 164, 19, 55, 233, 181, 103, 135, 187, 40, 202, 210, 125, 88, 73, 2, 3, 1, 0, 967 1, 163, 117, 48, 115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 91, 156, 56, 249, 82, 5, 968 5, 2, 2, 21, 57, 237, 90, 8, 188, 55, 139, 113, 229, 132, 48, 12, 6, 3, 85, 29, 19, 1, 969 1, 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85, 970 29, 37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29, 971 35, 4, 24, 48, 22, 128, 20, 96, 178, 34, 145, 205, 104, 56, 196, 211, 241, 34, 247, 972 125, 194, 215, 110, 191, 133, 151, 15, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 973 5, 5, 0, 3, 130, 1, 1, 0, 12, 93, 61, 154, 152, 205, 44, 219, 157, 214, 4, 162, 93, 85, 974 60, 231, 231, 206, 193, 160, 133, 28, 61, 113, 102, 120, 137, 120, 175, 11, 244, 113, 975 217, 81, 151, 123, 210, 108, 156, 145, 99, 158, 104, 10, 25, 129, 95, 128, 140, 44, 976 153, 65, 175, 32, 37, 189, 186, 43, 101, 153, 98, 160, 95, 13, 154, 86, 221, 99, 210, 977 157, 25, 41, 98, 79, 252, 2, 8, 221, 120, 71, 54, 221, 34, 180, 109, 181, 185, 58, 2, 978 119, 167, 50, 172, 167, 192, 136, 24, 227, 40, 211, 18, 98, 2, 175, 174, 42, 100, 136, 979 83, 116, 7, 50, 50, 215, 164, 90, 49, 231, 106, 240, 246, 95, 236, 60, 198, 97, 200, 980 140, 23, 168, 183, 174, 132, 39, 251, 61, 112, 226, 66, 68, 16, 23, 213, 129, 86, 196, 981 248, 82, 141, 82, 107, 246, 224, 37, 94, 95, 134, 139, 75, 15, 70, 54, 47, 80, 19, 143, 982 48, 171, 113, 130, 226, 180, 39, 18, 44, 117, 113, 196, 20, 11, 82, 174, 251, 197, 216, 983 152, 229, 188, 148, 191, 165, 149, 50, 127, 172, 111, 95, 194, 63, 238, 112, 154, 85, 984 98, 18, 236, 13, 123, 232, 90, 47, 180, 36, 148, 77, 192, 45, 113, 150, 10, 254, 99, 0, 985 30, 87, 80, 22, 61, 78, 66, 180, 251, 220, 8, 78, 175, 251, 27, 201, 79, 197, 45, 127, 986 143, 163, 7, 252, 246, 45, 127, 87, 224, 125, 175, 245, 115, 987 ] 988 .as_slice(); 989 assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash { 990 Hash::Sha256(ref hash) => *hash == Sha256::digest(CERT), 991 _ => false, 992 }),); 993 } 994 #[test] 995 fn test_parse_dsa_sha256() { 996 /// Certificate that uses DSA with SHA-256. 997 const CERT: &[u8] = [ 998 48, 130, 4, 162, 48, 130, 4, 79, 160, 3, 2, 1, 2, 2, 1, 37, 48, 11, 6, 9, 96, 134, 72, 999 1, 101, 3, 4, 3, 2, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 16, 48, 1000 14, 6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 3, 85, 4, 1001 3, 12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 49, 50, 51, 1002 48, 51, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 49, 50, 51, 48, 51, 90, 48, 43, 49, 11, 1003 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 84, 101, 1004 115, 116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 130, 3, 66, 48, 1005 130, 2, 53, 6, 7, 42, 134, 72, 206, 56, 4, 1, 48, 130, 2, 40, 2, 130, 1, 1, 0, 172, 11, 1006 194, 123, 239, 38, 183, 160, 91, 74, 179, 251, 72, 80, 38, 223, 195, 46, 238, 2, 67, 1007 45, 138, 58, 62, 57, 85, 203, 148, 194, 164, 178, 195, 150, 29, 93, 245, 157, 225, 189, 1008 125, 209, 186, 83, 234, 14, 179, 116, 156, 216, 112, 205, 152, 26, 168, 175, 111, 106, 1009 249, 235, 49, 40, 246, 31, 152, 214, 59, 117, 64, 109, 28, 167, 222, 155, 132, 192, 1010 180, 240, 8, 80, 209, 209, 119, 53, 165, 51, 189, 18, 158, 176, 171, 45, 160, 54, 8, 1011 75, 146, 92, 245, 202, 188, 144, 36, 156, 127, 140, 220, 144, 56, 95, 38, 112, 44, 221, 1012 159, 9, 159, 189, 153, 150, 88, 84, 73, 138, 6, 73, 141, 17, 28, 110, 159, 141, 21, 1013 232, 13, 90, 130, 251, 177, 168, 242, 201, 222, 138, 182, 233, 142, 229, 24, 47, 186, 1014 56, 245, 177, 250, 253, 2, 11, 115, 29, 6, 156, 168, 117, 22, 15, 152, 183, 137, 25, 1015 188, 24, 22, 120, 195, 17, 97, 16, 85, 234, 95, 53, 156, 244, 146, 53, 183, 235, 71, 1016 24, 163, 139, 70, 227, 235, 154, 229, 210, 144, 81, 231, 161, 120, 117, 182, 245, 175, 1017 25, 252, 21, 153, 130, 211, 180, 209, 164, 34, 248, 167, 8, 98, 181, 69, 52, 74, 120, 1018 227, 165, 16, 172, 42, 107, 248, 42, 225, 46, 80, 11, 117, 92, 225, 27, 86, 4, 226, 29, 1019 85, 105, 208, 193, 120, 112, 39, 226, 20, 141, 2, 29, 0, 186, 229, 13, 141, 5, 89, 173, 1020 164, 148, 130, 205, 229, 23, 44, 125, 234, 49, 240, 196, 213, 6, 31, 233, 8, 99, 80, 1021 166, 239, 2, 130, 1, 0, 106, 152, 3, 177, 77, 235, 201, 25, 36, 150, 146, 246, 50, 67, 1022 97, 96, 245, 207, 14, 200, 60, 16, 229, 114, 211, 111, 193, 226, 252, 153, 176, 159, 1023 198, 41, 133, 157, 197, 38, 112, 217, 9, 205, 13, 85, 170, 94, 89, 60, 214, 117, 182, 1024 163, 81, 138, 122, 250, 48, 98, 43, 60, 186, 203, 147, 60, 74, 110, 89, 216, 73, 4, 1025 191, 1, 158, 174, 98, 201, 184, 25, 162, 239, 244, 139, 154, 173, 108, 135, 124, 166, 1026 152, 88, 237, 68, 145, 252, 33, 40, 237, 57, 53, 155, 215, 56, 12, 202, 22, 225, 7, 89, 1027 24, 245, 195, 164, 36, 172, 98, 26, 115, 10, 71, 27, 21, 255, 62, 212, 202, 71, 147, 1028 229, 6, 181, 19, 107, 136, 223, 239, 164, 243, 254, 101, 208, 122, 226, 150, 17, 251, 1029 218, 85, 169, 81, 177, 7, 190, 171, 230, 26, 149, 183, 181, 113, 140, 252, 212, 172, 1030 154, 200, 118, 69, 156, 108, 144, 11, 201, 135, 175, 19, 201, 116, 9, 80, 20, 19, 89, 1031 151, 198, 204, 253, 10, 155, 101, 159, 81, 190, 174, 58, 220, 250, 220, 212, 42, 111, 1032 33, 204, 114, 7, 30, 153, 73, 248, 209, 114, 36, 225, 6, 47, 106, 45, 226, 254, 175, 1033 201, 138, 254, 121, 184, 19, 143, 48, 67, 179, 99, 250, 189, 237, 58, 249, 194, 167, 1034 149, 162, 219, 27, 53, 67, 135, 193, 204, 253, 176, 245, 2, 211, 58, 176, 69, 14, 186, 1035 3, 130, 1, 5, 0, 2, 130, 1, 0, 97, 40, 15, 97, 210, 23, 118, 85, 75, 191, 251, 126, 1036 171, 47, 188, 57, 40, 41, 85, 48, 206, 169, 253, 233, 146, 161, 39, 232, 242, 19, 219, 1037 191, 172, 82, 78, 132, 153, 238, 120, 228, 99, 199, 197, 181, 74, 191, 123, 189, 80, 1038 203, 219, 50, 184, 193, 49, 160, 9, 41, 167, 133, 33, 151, 52, 196, 61, 29, 102, 233, 1039 163, 249, 121, 248, 55, 144, 215, 55, 89, 142, 137, 249, 67, 112, 167, 42, 255, 67, 56, 1040 179, 106, 187, 79, 87, 54, 118, 186, 154, 48, 150, 204, 222, 102, 135, 254, 202, 9, 1041 166, 229, 176, 130, 37, 174, 139, 240, 43, 134, 75, 141, 35, 163, 203, 71, 153, 217, 1042 71, 181, 79, 35, 114, 55, 124, 20, 55, 110, 112, 223, 109, 239, 183, 210, 141, 59, 88, 1043 47, 40, 167, 154, 90, 99, 250, 146, 29, 226, 10, 70, 103, 246, 209, 36, 174, 177, 164, 1044 244, 126, 153, 106, 156, 92, 143, 140, 46, 49, 184, 125, 160, 246, 145, 178, 94, 11, 1045 153, 128, 59, 210, 11, 210, 42, 3, 138, 136, 147, 115, 96, 190, 68, 128, 25, 47, 26, 1046 231, 183, 247, 89, 28, 67, 220, 235, 88, 4, 228, 140, 148, 10, 98, 104, 101, 60, 115, 1047 39, 219, 183, 111, 62, 93, 133, 141, 219, 252, 51, 66, 224, 115, 158, 85, 46, 13, 171, 1048 31, 5, 210, 83, 68, 61, 92, 87, 241, 1, 215, 144, 233, 243, 68, 238, 197, 62, 54, 68, 1049 163, 117, 48, 115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 153, 40, 244, 111, 22, 53, 1050 83, 33, 46, 24, 242, 81, 89, 121, 91, 97, 190, 144, 138, 150, 48, 12, 6, 3, 85, 29, 19, 1051 1, 1, 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85, 1052 29, 37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29, 1053 35, 4, 24, 48, 22, 128, 20, 230, 93, 24, 66, 42, 224, 216, 63, 210, 30, 74, 173, 48, 1054 16, 195, 8, 166, 231, 232, 253, 48, 11, 6, 9, 96, 134, 72, 1, 101, 3, 4, 3, 2, 3, 64, 1055 0, 48, 61, 2, 28, 116, 130, 114, 201, 119, 192, 122, 114, 52, 255, 182, 233, 56, 153, 1056 169, 135, 12, 49, 236, 107, 72, 244, 178, 174, 32, 27, 13, 226, 2, 29, 0, 170, 35, 77, 1057 179, 10, 59, 85, 118, 124, 99, 48, 21, 125, 235, 57, 27, 60, 222, 102, 120, 20, 16, 1058 148, 80, 118, 28, 75, 176, 1059 ] 1060 .as_slice(); 1061 assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash { 1062 Hash::Sha256(ref hash) => *hash == Sha256::digest(CERT), 1063 _ => false, 1064 }),); 1065 } 1066 #[test] 1067 fn test_parse_dsa_sha224() { 1068 /// Certificate that uses DSA with SHA-224. 1069 const CERT: &[u8] = [ 1070 48, 130, 4, 163, 48, 130, 4, 79, 160, 3, 2, 1, 2, 2, 1, 36, 48, 11, 6, 9, 96, 134, 72, 1071 1, 101, 3, 4, 3, 1, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 16, 48, 1072 14, 6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 3, 85, 4, 1073 3, 12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 49, 50, 50, 1074 50, 53, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 49, 50, 50, 50, 53, 90, 48, 43, 49, 11, 1075 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 84, 101, 1076 115, 116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 130, 3, 66, 48, 1077 130, 2, 53, 6, 7, 42, 134, 72, 206, 56, 4, 1, 48, 130, 2, 40, 2, 130, 1, 1, 0, 172, 11, 1078 194, 123, 239, 38, 183, 160, 91, 74, 179, 251, 72, 80, 38, 223, 195, 46, 238, 2, 67, 1079 45, 138, 58, 62, 57, 85, 203, 148, 194, 164, 178, 195, 150, 29, 93, 245, 157, 225, 189, 1080 125, 209, 186, 83, 234, 14, 179, 116, 156, 216, 112, 205, 152, 26, 168, 175, 111, 106, 1081 249, 235, 49, 40, 246, 31, 152, 214, 59, 117, 64, 109, 28, 167, 222, 155, 132, 192, 1082 180, 240, 8, 80, 209, 209, 119, 53, 165, 51, 189, 18, 158, 176, 171, 45, 160, 54, 8, 1083 75, 146, 92, 245, 202, 188, 144, 36, 156, 127, 140, 220, 144, 56, 95, 38, 112, 44, 221, 1084 159, 9, 159, 189, 153, 150, 88, 84, 73, 138, 6, 73, 141, 17, 28, 110, 159, 141, 21, 1085 232, 13, 90, 130, 251, 177, 168, 242, 201, 222, 138, 182, 233, 142, 229, 24, 47, 186, 1086 56, 245, 177, 250, 253, 2, 11, 115, 29, 6, 156, 168, 117, 22, 15, 152, 183, 137, 25, 1087 188, 24, 22, 120, 195, 17, 97, 16, 85, 234, 95, 53, 156, 244, 146, 53, 183, 235, 71, 1088 24, 163, 139, 70, 227, 235, 154, 229, 210, 144, 81, 231, 161, 120, 117, 182, 245, 175, 1089 25, 252, 21, 153, 130, 211, 180, 209, 164, 34, 248, 167, 8, 98, 181, 69, 52, 74, 120, 1090 227, 165, 16, 172, 42, 107, 248, 42, 225, 46, 80, 11, 117, 92, 225, 27, 86, 4, 226, 29, 1091 85, 105, 208, 193, 120, 112, 39, 226, 20, 141, 2, 29, 0, 186, 229, 13, 141, 5, 89, 173, 1092 164, 148, 130, 205, 229, 23, 44, 125, 234, 49, 240, 196, 213, 6, 31, 233, 8, 99, 80, 1093 166, 239, 2, 130, 1, 0, 106, 152, 3, 177, 77, 235, 201, 25, 36, 150, 146, 246, 50, 67, 1094 97, 96, 245, 207, 14, 200, 60, 16, 229, 114, 211, 111, 193, 226, 252, 153, 176, 159, 1095 198, 41, 133, 157, 197, 38, 112, 217, 9, 205, 13, 85, 170, 94, 89, 60, 214, 117, 182, 1096 163, 81, 138, 122, 250, 48, 98, 43, 60, 186, 203, 147, 60, 74, 110, 89, 216, 73, 4, 1097 191, 1, 158, 174, 98, 201, 184, 25, 162, 239, 244, 139, 154, 173, 108, 135, 124, 166, 1098 152, 88, 237, 68, 145, 252, 33, 40, 237, 57, 53, 155, 215, 56, 12, 202, 22, 225, 7, 89, 1099 24, 245, 195, 164, 36, 172, 98, 26, 115, 10, 71, 27, 21, 255, 62, 212, 202, 71, 147, 1100 229, 6, 181, 19, 107, 136, 223, 239, 164, 243, 254, 101, 208, 122, 226, 150, 17, 251, 1101 218, 85, 169, 81, 177, 7, 190, 171, 230, 26, 149, 183, 181, 113, 140, 252, 212, 172, 1102 154, 200, 118, 69, 156, 108, 144, 11, 201, 135, 175, 19, 201, 116, 9, 80, 20, 19, 89, 1103 151, 198, 204, 253, 10, 155, 101, 159, 81, 190, 174, 58, 220, 250, 220, 212, 42, 111, 1104 33, 204, 114, 7, 30, 153, 73, 248, 209, 114, 36, 225, 6, 47, 106, 45, 226, 254, 175, 1105 201, 138, 254, 121, 184, 19, 143, 48, 67, 179, 99, 250, 189, 237, 58, 249, 194, 167, 1106 149, 162, 219, 27, 53, 67, 135, 193, 204, 253, 176, 245, 2, 211, 58, 176, 69, 14, 186, 1107 3, 130, 1, 5, 0, 2, 130, 1, 0, 97, 40, 15, 97, 210, 23, 118, 85, 75, 191, 251, 126, 1108 171, 47, 188, 57, 40, 41, 85, 48, 206, 169, 253, 233, 146, 161, 39, 232, 242, 19, 219, 1109 191, 172, 82, 78, 132, 153, 238, 120, 228, 99, 199, 197, 181, 74, 191, 123, 189, 80, 1110 203, 219, 50, 184, 193, 49, 160, 9, 41, 167, 133, 33, 151, 52, 196, 61, 29, 102, 233, 1111 163, 249, 121, 248, 55, 144, 215, 55, 89, 142, 137, 249, 67, 112, 167, 42, 255, 67, 56, 1112 179, 106, 187, 79, 87, 54, 118, 186, 154, 48, 150, 204, 222, 102, 135, 254, 202, 9, 1113 166, 229, 176, 130, 37, 174, 139, 240, 43, 134, 75, 141, 35, 163, 203, 71, 153, 217, 1114 71, 181, 79, 35, 114, 55, 124, 20, 55, 110, 112, 223, 109, 239, 183, 210, 141, 59, 88, 1115 47, 40, 167, 154, 90, 99, 250, 146, 29, 226, 10, 70, 103, 246, 209, 36, 174, 177, 164, 1116 244, 126, 153, 106, 156, 92, 143, 140, 46, 49, 184, 125, 160, 246, 145, 178, 94, 11, 1117 153, 128, 59, 210, 11, 210, 42, 3, 138, 136, 147, 115, 96, 190, 68, 128, 25, 47, 26, 1118 231, 183, 247, 89, 28, 67, 220, 235, 88, 4, 228, 140, 148, 10, 98, 104, 101, 60, 115, 1119 39, 219, 183, 111, 62, 93, 133, 141, 219, 252, 51, 66, 224, 115, 158, 85, 46, 13, 171, 1120 31, 5, 210, 83, 68, 61, 92, 87, 241, 1, 215, 144, 233, 243, 68, 238, 197, 62, 54, 68, 1121 163, 117, 48, 115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 153, 40, 244, 111, 22, 53, 1122 83, 33, 46, 24, 242, 81, 89, 121, 91, 97, 190, 144, 138, 150, 48, 12, 6, 3, 85, 29, 19, 1123 1, 1, 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85, 1124 29, 37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29, 1125 35, 4, 24, 48, 22, 128, 20, 230, 93, 24, 66, 42, 224, 216, 63, 210, 30, 74, 173, 48, 1126 16, 195, 8, 166, 231, 232, 253, 48, 11, 6, 9, 96, 134, 72, 1, 101, 3, 4, 3, 1, 3, 65, 1127 0, 48, 62, 2, 29, 0, 178, 65, 35, 200, 113, 88, 88, 146, 71, 230, 14, 148, 101, 161, 1128 118, 55, 125, 175, 226, 137, 63, 147, 215, 75, 207, 115, 150, 22, 2, 29, 0, 233, 44, 1129 225, 196, 27, 225, 84, 166, 253, 231, 247, 162, 41, 134, 178, 45, 218, 17, 24, 35, 120, 1130 100, 231, 84, 218, 88, 80, 255, 1131 ] 1132 .as_slice(); 1133 assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash { 1134 Hash::Sha224(ref hash) => *hash == Sha224::digest(CERT), 1135 _ => false, 1136 }),); 1137 } 1138 #[test] 1139 fn test_parse_dsa_sha1() { 1140 /// Certificate that uses DSA with SHA-1. 1141 const CERT: &[u8] = [ 1142 48, 130, 4, 157, 48, 130, 4, 77, 160, 3, 2, 1, 2, 2, 1, 35, 48, 9, 6, 7, 42, 134, 72, 1143 206, 56, 4, 3, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 16, 48, 14, 6, 1144 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 1145 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 49, 49, 57, 48, 55, 1146 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 49, 49, 57, 48, 55, 90, 48, 43, 49, 11, 48, 9, 1147 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 84, 101, 115, 1148 116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 130, 3, 66, 48, 130, 1149 2, 53, 6, 7, 42, 134, 72, 206, 56, 4, 1, 48, 130, 2, 40, 2, 130, 1, 1, 0, 172, 11, 194, 1150 123, 239, 38, 183, 160, 91, 74, 179, 251, 72, 80, 38, 223, 195, 46, 238, 2, 67, 45, 1151 138, 58, 62, 57, 85, 203, 148, 194, 164, 178, 195, 150, 29, 93, 245, 157, 225, 189, 1152 125, 209, 186, 83, 234, 14, 179, 116, 156, 216, 112, 205, 152, 26, 168, 175, 111, 106, 1153 249, 235, 49, 40, 246, 31, 152, 214, 59, 117, 64, 109, 28, 167, 222, 155, 132, 192, 1154 180, 240, 8, 80, 209, 209, 119, 53, 165, 51, 189, 18, 158, 176, 171, 45, 160, 54, 8, 1155 75, 146, 92, 245, 202, 188, 144, 36, 156, 127, 140, 220, 144, 56, 95, 38, 112, 44, 221, 1156 159, 9, 159, 189, 153, 150, 88, 84, 73, 138, 6, 73, 141, 17, 28, 110, 159, 141, 21, 1157 232, 13, 90, 130, 251, 177, 168, 242, 201, 222, 138, 182, 233, 142, 229, 24, 47, 186, 1158 56, 245, 177, 250, 253, 2, 11, 115, 29, 6, 156, 168, 117, 22, 15, 152, 183, 137, 25, 1159 188, 24, 22, 120, 195, 17, 97, 16, 85, 234, 95, 53, 156, 244, 146, 53, 183, 235, 71, 1160 24, 163, 139, 70, 227, 235, 154, 229, 210, 144, 81, 231, 161, 120, 117, 182, 245, 175, 1161 25, 252, 21, 153, 130, 211, 180, 209, 164, 34, 248, 167, 8, 98, 181, 69, 52, 74, 120, 1162 227, 165, 16, 172, 42, 107, 248, 42, 225, 46, 80, 11, 117, 92, 225, 27, 86, 4, 226, 29, 1163 85, 105, 208, 193, 120, 112, 39, 226, 20, 141, 2, 29, 0, 186, 229, 13, 141, 5, 89, 173, 1164 164, 148, 130, 205, 229, 23, 44, 125, 234, 49, 240, 196, 213, 6, 31, 233, 8, 99, 80, 1165 166, 239, 2, 130, 1, 0, 106, 152, 3, 177, 77, 235, 201, 25, 36, 150, 146, 246, 50, 67, 1166 97, 96, 245, 207, 14, 200, 60, 16, 229, 114, 211, 111, 193, 226, 252, 153, 176, 159, 1167 198, 41, 133, 157, 197, 38, 112, 217, 9, 205, 13, 85, 170, 94, 89, 60, 214, 117, 182, 1168 163, 81, 138, 122, 250, 48, 98, 43, 60, 186, 203, 147, 60, 74, 110, 89, 216, 73, 4, 1169 191, 1, 158, 174, 98, 201, 184, 25, 162, 239, 244, 139, 154, 173, 108, 135, 124, 166, 1170 152, 88, 237, 68, 145, 252, 33, 40, 237, 57, 53, 155, 215, 56, 12, 202, 22, 225, 7, 89, 1171 24, 245, 195, 164, 36, 172, 98, 26, 115, 10, 71, 27, 21, 255, 62, 212, 202, 71, 147, 1172 229, 6, 181, 19, 107, 136, 223, 239, 164, 243, 254, 101, 208, 122, 226, 150, 17, 251, 1173 218, 85, 169, 81, 177, 7, 190, 171, 230, 26, 149, 183, 181, 113, 140, 252, 212, 172, 1174 154, 200, 118, 69, 156, 108, 144, 11, 201, 135, 175, 19, 201, 116, 9, 80, 20, 19, 89, 1175 151, 198, 204, 253, 10, 155, 101, 159, 81, 190, 174, 58, 220, 250, 220, 212, 42, 111, 1176 33, 204, 114, 7, 30, 153, 73, 248, 209, 114, 36, 225, 6, 47, 106, 45, 226, 254, 175, 1177 201, 138, 254, 121, 184, 19, 143, 48, 67, 179, 99, 250, 189, 237, 58, 249, 194, 167, 1178 149, 162, 219, 27, 53, 67, 135, 193, 204, 253, 176, 245, 2, 211, 58, 176, 69, 14, 186, 1179 3, 130, 1, 5, 0, 2, 130, 1, 0, 97, 40, 15, 97, 210, 23, 118, 85, 75, 191, 251, 126, 1180 171, 47, 188, 57, 40, 41, 85, 48, 206, 169, 253, 233, 146, 161, 39, 232, 242, 19, 219, 1181 191, 172, 82, 78, 132, 153, 238, 120, 228, 99, 199, 197, 181, 74, 191, 123, 189, 80, 1182 203, 219, 50, 184, 193, 49, 160, 9, 41, 167, 133, 33, 151, 52, 196, 61, 29, 102, 233, 1183 163, 249, 121, 248, 55, 144, 215, 55, 89, 142, 137, 249, 67, 112, 167, 42, 255, 67, 56, 1184 179, 106, 187, 79, 87, 54, 118, 186, 154, 48, 150, 204, 222, 102, 135, 254, 202, 9, 1185 166, 229, 176, 130, 37, 174, 139, 240, 43, 134, 75, 141, 35, 163, 203, 71, 153, 217, 1186 71, 181, 79, 35, 114, 55, 124, 20, 55, 110, 112, 223, 109, 239, 183, 210, 141, 59, 88, 1187 47, 40, 167, 154, 90, 99, 250, 146, 29, 226, 10, 70, 103, 246, 209, 36, 174, 177, 164, 1188 244, 126, 153, 106, 156, 92, 143, 140, 46, 49, 184, 125, 160, 246, 145, 178, 94, 11, 1189 153, 128, 59, 210, 11, 210, 42, 3, 138, 136, 147, 115, 96, 190, 68, 128, 25, 47, 26, 1190 231, 183, 247, 89, 28, 67, 220, 235, 88, 4, 228, 140, 148, 10, 98, 104, 101, 60, 115, 1191 39, 219, 183, 111, 62, 93, 133, 141, 219, 252, 51, 66, 224, 115, 158, 85, 46, 13, 171, 1192 31, 5, 210, 83, 68, 61, 92, 87, 241, 1, 215, 144, 233, 243, 68, 238, 197, 62, 54, 68, 1193 163, 117, 48, 115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 153, 40, 244, 111, 22, 53, 1194 83, 33, 46, 24, 242, 81, 89, 121, 91, 97, 190, 144, 138, 150, 48, 12, 6, 3, 85, 29, 19, 1195 1, 1, 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85, 1196 29, 37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29, 1197 35, 4, 24, 48, 22, 128, 20, 230, 93, 24, 66, 42, 224, 216, 63, 210, 30, 74, 173, 48, 1198 16, 195, 8, 166, 231, 232, 253, 48, 9, 6, 7, 42, 134, 72, 206, 56, 4, 3, 3, 63, 0, 48, 1199 60, 2, 28, 50, 39, 36, 45, 25, 91, 93, 174, 107, 192, 215, 113, 214, 88, 122, 108, 97, 1200 82, 121, 182, 191, 182, 66, 173, 207, 255, 17, 86, 2, 28, 28, 133, 69, 48, 198, 204, 1201 39, 177, 136, 73, 222, 95, 114, 218, 219, 54, 88, 17, 114, 204, 214, 83, 20, 137, 75, 1202 203, 163, 99, 1203 ] 1204 .as_slice(); 1205 assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash { 1206 Hash::Sha256(ref hash) => *hash == Sha256::digest(CERT), 1207 _ => false, 1208 }),); 1209 } 1210 #[cfg(feature = "runtime")] 1211 #[derive(Debug)] 1212 enum E { 1213 #[expect(dead_code, reason = "does not matter for tests")] 1214 Io(Error), 1215 #[expect(dead_code, reason = "does not matter for tests")] 1216 Rustls(rustls::Error), 1217 #[expect(dead_code, reason = "does not matter for tests")] 1218 Postgres(tokio_postgres::Error), 1219 NoRootCert, 1220 MultipleRootCerts, 1221 NoClientKey, 1222 MultipleClientKeys, 1223 #[expect(dead_code, reason = "does not matter for tests")] 1224 RustlsPem(PemErr), 1225 } 1226 #[cfg(feature = "runtime")] 1227 impl From<Error> for E { 1228 fn from(value: Error) -> Self { 1229 Self::Io(value) 1230 } 1231 } 1232 #[cfg(feature = "runtime")] 1233 impl From<rustls::Error> for E { 1234 fn from(value: rustls::Error) -> Self { 1235 Self::Rustls(value) 1236 } 1237 } 1238 #[cfg(feature = "runtime")] 1239 impl From<tokio_postgres::Error> for E { 1240 fn from(value: tokio_postgres::Error) -> Self { 1241 Self::Postgres(value) 1242 } 1243 } 1244 #[cfg(feature = "runtime")] 1245 impl From<PemErr> for E { 1246 fn from(value: PemErr) -> Self { 1247 Self::RustlsPem(value) 1248 } 1249 } 1250 #[cfg(feature = "runtime")] 1251 #[ignore] 1252 #[test] 1253 fn test_mutual_tls() -> Result<(), E> { 1254 let root_cert_file = fs::read("test_data/ca.crt.pem")?; 1255 let mut cert_iter = CertificateDer::pem_slice_iter(root_cert_file.as_slice()); 1256 let key_file = fs::read("test_data/client.key.pem")?; 1257 let mut key_iter = PrivateKeyDer::pem_slice_iter(key_file.as_slice()); 1258 let mut conf = ClientConfig::builder_with_protocol_versions([&TLS13].as_slice()) 1259 .with_root_certificates(cert_iter.next().ok_or_else(|| E::NoRootCert).and_then( 1260 |cert_res| { 1261 cert_res.map_err(E::RustlsPem).and_then(|cert| { 1262 cert_iter.next().map_or_else( 1263 || { 1264 let mut root_store = RootCertStore::empty(); 1265 root_store.add(cert).map_err(E::Rustls).map(|()| root_store) 1266 }, 1267 |_| Err(E::MultipleRootCerts), 1268 ) 1269 }) 1270 }, 1271 )?) 1272 .with_client_auth_cert( 1273 CertificateDer::pem_slice_iter(fs::read("test_data/client.crt.pem")?.as_slice()) 1274 .try_fold(Vec::with_capacity(1), |mut certs, res| { 1275 res.map(|cert| { 1276 certs.push(cert); 1277 certs 1278 }) 1279 })?, 1280 key_iter 1281 .next() 1282 .ok_or_else(|| E::NoClientKey) 1283 .and_then(|key_res| { 1284 key_res.map_err(E::RustlsPem).and_then(|key| { 1285 key_iter 1286 .next() 1287 .map_or_else(|| Ok(key), |_| Err(E::MultipleClientKeys)) 1288 }) 1289 })?, 1290 )?; 1291 super::set_postgresql_alpn(&mut conf); 1292 let mut config = Config::new(); 1293 let connection = config 1294 .application_name("test") 1295 .channel_binding(ChannelBinding::Disable) 1296 .connect_timeout(Duration::from_secs(4)) 1297 .dbname(fs::read_to_string("test_data/dbname")?.trim_ascii_end()) 1298 .host(fs::read_to_string("test_data/host")?.trim_ascii_end()) 1299 .hostaddr(IpAddr::V6(Ipv6Addr::LOCALHOST)) 1300 .keepalives(false) 1301 .load_balance_hosts(LoadBalanceHosts::Disable) 1302 .port(5432) 1303 .ssl_mode(SslMode::Require) 1304 .target_session_attrs(TargetSessionAttrs::Any) 1305 .user(fs::read_to_string("test_data/user")?.trim_ascii_end()) 1306 .connect(MakeTlsConnector::new(Arc::new(conf).into())); 1307 Builder::new_current_thread() 1308 .enable_all() 1309 .build()? 1310 .block_on(async move { connection.await.map_err(E::Postgres).map(|_| ()) }) 1311 } 1312 #[cfg(feature = "runtime")] 1313 #[ignore] 1314 #[test] 1315 fn test_password_and_channel_binding() -> Result<(), E> { 1316 let root_cert_file = fs::read("test_data/ca.crt.pem")?; 1317 let mut cert_iter = CertificateDer::pem_slice_iter(root_cert_file.as_slice()); 1318 let mut conf = ClientConfig::builder_with_protocol_versions([&TLS13].as_slice()) 1319 .with_root_certificates(cert_iter.next().ok_or_else(|| E::NoRootCert).and_then( 1320 |cert_res| { 1321 cert_res.map_err(E::RustlsPem).and_then(|cert| { 1322 cert_iter.next().map_or_else( 1323 || { 1324 let mut root_store = RootCertStore::empty(); 1325 root_store.add(cert).map_err(E::Rustls).map(|()| root_store) 1326 }, 1327 |_| Err(E::MultipleRootCerts), 1328 ) 1329 }) 1330 }, 1331 )?) 1332 .with_no_client_auth(); 1333 super::set_postgresql_alpn(&mut conf); 1334 let mut config = Config::new(); 1335 let connection = config 1336 .application_name("test") 1337 .channel_binding(ChannelBinding::Require) 1338 .connect_timeout(Duration::from_secs(4)) 1339 .dbname(fs::read_to_string("test_data/dbname")?.trim_ascii_end()) 1340 .host(fs::read_to_string("test_data/host")?.trim_ascii_end()) 1341 .hostaddr(IpAddr::V6(Ipv6Addr::LOCALHOST)) 1342 .keepalives(false) 1343 .load_balance_hosts(LoadBalanceHosts::Disable) 1344 .password(fs::read("test_data/password")?.trim_ascii_end()) 1345 .port(5432) 1346 .ssl_mode(SslMode::Require) 1347 .target_session_attrs(TargetSessionAttrs::Any) 1348 .user(fs::read_to_string("test_data/user")?.trim_ascii_end()) 1349 .connect(MakeTlsConnector::new(Arc::new(conf).into())); 1350 Builder::new_current_thread() 1351 .enable_all() 1352 .build()? 1353 .block_on(async move { connection.await.map_err(E::Postgres).map(|_| ()) }) 1354 } 1355 }