lib.rs (88951B)
1 //! [![git]](https://git.philomathiclife.com/postgres_rustls/log.html) [![crates-io]](https://crates.io/crates/postgres_rustls) [![docs-rs]](crate) 2 //! 3 //! [git]: https://git.philomathiclife.com/git_badge.svg 4 //! [crates-io]: https://img.shields.io/badge/crates.io-fc8d62?style=for-the-badge&labelColor=555555&logo=rust 5 //! [docs-rs]: https://img.shields.io/badge/docs.rs-66c2a5?style=for-the-badge&labelColor=555555&logo=docs.rs 6 //! 7 //! `postgres_rustls` is a library that adds TLS support to [`tokio_postgres`] using [`tokio_rustls`]. 8 #![cfg_attr(docsrs, feature(doc_cfg))] 9 #![deny( 10 unknown_lints, 11 future_incompatible, 12 let_underscore, 13 missing_docs, 14 nonstandard_style, 15 refining_impl_trait, 16 rust_2018_compatibility, 17 rust_2018_idioms, 18 rust_2021_compatibility, 19 rust_2024_compatibility, 20 unsafe_code, 21 unused, 22 warnings, 23 clippy::all, 24 clippy::cargo, 25 clippy::complexity, 26 clippy::correctness, 27 clippy::nursery, 28 clippy::pedantic, 29 clippy::perf, 30 clippy::restriction, 31 clippy::style, 32 clippy::suspicious 33 )] 34 #![expect( 35 clippy::arbitrary_source_item_ordering, 36 clippy::blanket_clippy_restriction_lints, 37 clippy::implicit_return, 38 clippy::missing_trait_methods, 39 clippy::multiple_crate_versions, 40 clippy::return_and_then, 41 clippy::single_call_fn, 42 reason = "noisy, opinionated, and likely doesn't prevent bugs or improve APIs" 43 )] 44 use core::{ 45 future::Future, 46 pin::Pin, 47 task::{Context, Poll}, 48 }; 49 use sha2::{ 50 Sha224, Sha256, Sha384, Sha512, 51 digest::{Digest as _, OutputSizeUser, generic_array::GenericArray}, 52 }; 53 use std::io::{self, IoSlice}; 54 use tokio::io::{AsyncRead, AsyncWrite, ReadBuf}; 55 #[cfg(feature = "runtime")] 56 use tokio_postgres::tls::MakeTlsConnect; 57 use tokio_postgres::tls::{ChannelBinding, TlsConnect as PgTlsConnect, TlsStream as PgTlsStream}; 58 use tokio_rustls::{ 59 self, Connect, 60 client::TlsStream as RustlsStream, 61 rustls::{ 62 ClientConfig, 63 pki_types::{InvalidDnsNameError, ServerName}, 64 }, 65 }; 66 /// Hash for the leaf certificate provided by the PostgreSQL server. 67 #[expect(clippy::doc_markdown, reason = "PostgreSQL is correct")] 68 enum Hash { 69 /// SHA-256 hash. 70 Sha256(GenericArray<u8, <Sha256 as OutputSizeUser>::OutputSize>), 71 /// SHA-384 hash. 72 Sha384(GenericArray<u8, <Sha384 as OutputSizeUser>::OutputSize>), 73 /// SHA-512 hash. 74 Sha512(GenericArray<u8, <Sha512 as OutputSizeUser>::OutputSize>), 75 /// SHA-224 hash. 76 Sha224(GenericArray<u8, <Sha224 as OutputSizeUser>::OutputSize>), 77 } 78 impl From<Hash> for Vec<u8> { 79 #[inline] 80 fn from(value: Hash) -> Self { 81 match value { 82 Hash::Sha256(hash) => hash.to_vec(), 83 Hash::Sha384(hash) => hash.to_vec(), 84 Hash::Sha512(hash) => hash.to_vec(), 85 Hash::Sha224(hash) => hash.to_vec(), 86 } 87 } 88 } 89 impl Hash { 90 /// Parses `cert` as a DER-encoded X.509 v3 certifcate extracting the signature algorithm and using it to hash 91 /// `cert` (based on the underlying hash algorithm of the signature algorithm). 92 /// 93 /// Note this will return `Some` for certain invalid payloads; however when the payload is a valid 94 /// DER-encoded X.509 v3 certificate, then it is guaranteed to produce the correct hash. The idea is that 95 /// in the event the leaf certificate is invalid, then it will be rejected by `rustls` anyway thus what 96 /// this returns won't matter. We do this for simplicity and performance reasons since it allows us to 97 /// avoid parsing the entire certificate and instead _only_ care about the signature algorithm. 98 /// 99 /// The only signature algorithms supported are the following: 100 /// 101 /// * id-Ed25519 102 /// * ecdsa-with-SHA256 103 /// * sha256WithRSAEncryption 104 /// * ecdsa-with-SHA384 105 /// * sha384WithRSAEncryption 106 /// * ecdsa-with-SHA512 107 /// * sha512WithRSAEncryption 108 /// * ecdsa-with-SHA224 109 /// * sha224WithRSAEncryption 110 /// * dsa-with-SHA256 111 /// * dsa-with-SHA224 112 /// * dsa-with-SHA1 113 /// * sha1WithRSAEncryption 114 /// 115 /// More may be added; but for ones that require additional dependencies, they will be hidden behind a feature. 116 /// Additionally new ones must be supported by PostgreSQL, `tokio-postgres`, and `rustls`. For example, 117 /// PostgreSQL does not support Ed25519 certificates; however we add support for this since it does not require 118 /// additional dependencies. 119 // 120 // [RFC 5280 § 4.1](https://www.rfc-editor.org/rfc/rfc5280#section-4.1) describes the ASN.1 format 121 // of an X.509 v3 Certificate: 122 // 123 // ```asn 124 // Certificate ::= SEQUENCE { 125 // tbsCertificate TBSCertificate, 126 // signatureAlgorithm AlgorithmIdentifier, 127 // signatureValue BIT STRING } 128 // 129 // TBSCertificate ::= SEQUENCE { … } 130 // 131 // AlgorithmIdentifier ::= SEQUENCE { 132 // algorithm OBJECT IDENTIFIER, 133 // parameters ANY DEFINED BY algorithm OPTIONAL } 134 // ``` 135 // 136 // [ITU-T X.690](https://www.itu.int/rec/T-REC-X.690-202102-I/en) 137 // describes how DER-encoding works. 138 #[expect( 139 clippy::arithmetic_side_effects, 140 clippy::big_endian_bytes, 141 clippy::indexing_slicing, 142 reason = "comments justify their correctness" 143 )] 144 #[expect(clippy::too_many_lines, reason = "inflated by the const slices")] 145 #[expect(clippy::doc_markdown, reason = "PostgreSQL is correct")] 146 fn from_der_cert(cert: &[u8]) -> Option<Self> { 147 /// [RFC 8410 § 9](https://www.rfc-editor.org/rfc/rfc8410#section-9) 148 /// defines id-Ed25519 as 1.3.101.112. This is encoded as below per X.690 § 8.19. 149 const ED25519: &[u8] = [43, 101, 112].as_slice(); 150 /// [RFC 5912 § 6](https://www.rfc-editor.org/rfc/rfc5912.html#section-6) 151 /// defines ecdsa-with-SHA256 as 1.2.840.10045.4.3.2. This is encoded as 152 /// below per X.690 § 8.19. 153 const ECDSA_SHA256: &[u8] = [42, 134, 72, 206, 61, 4, 3, 2].as_slice(); 154 /// [RFC 8017 § Appendix C](https://www.rfc-editor.org/rfc/rfc8017#appendix-C) 155 /// defines sha256WithRSAEncryption as 1.2.840.113549.1.1.11. This is encoded as 156 /// below per X.690 § 8.19. 157 const RSA_SHA256: &[u8] = [42, 134, 72, 134, 247, 13, 1, 1, 11].as_slice(); 158 /// [RFC 5912 § 6](https://www.rfc-editor.org/rfc/rfc5912.html#section-6) 159 /// defines dsa-with-SHA256 as 2.16.840.1.101.3.4.3.2. This is encoded as 160 /// below per X.690 § 8.19. 161 const DSA_SHA256: &[u8] = [96, 134, 72, 1, 101, 3, 4, 3, 2].as_slice(); 162 /// [RFC 5912 § 6](https://www.rfc-editor.org/rfc/rfc5912.html#section-6) 163 /// defines dsa-with-SHA1 as 1.2.840.10040.4.3. This is encoded as 164 /// below per X.690 § 8.19. 165 const DSA_SHA1: &[u8] = [42, 134, 72, 206, 56, 4, 3].as_slice(); 166 /// [RFC 8017 § Appendix C](https://www.rfc-editor.org/rfc/rfc8017#appendix-C) 167 /// defines sha1WithRSAEncryption as 1.2.840.113549.1.1.5. This is encoded as 168 /// below per X.690 § 8.19. 169 const RSA_SHA1: &[u8] = [42, 134, 72, 134, 247, 13, 1, 1, 5].as_slice(); 170 /// [RFC 5912 § 6](https://www.rfc-editor.org/rfc/rfc5912.html#section-6) 171 /// defines ecdsa-with-SHA384 as 1.2.840.10045.4.3.3. This is encoded as 172 /// below per X.690 § 8.19. 173 const ECDSA_SHA384: &[u8] = [42, 134, 72, 206, 61, 4, 3, 3].as_slice(); 174 /// [RFC 8017 § Appendix C](https://www.rfc-editor.org/rfc/rfc8017#appendix-C) 175 /// defines sha384WithRSAEncryption as 1.2.840.113549.1.1.12. This is encoded as 176 /// below per X.690 § 8.19. 177 const RSA_SHA384: &[u8] = [42, 134, 72, 134, 247, 13, 1, 1, 12].as_slice(); 178 /// [RFC 5912 § 6](https://www.rfc-editor.org/rfc/rfc5912.html#section-6) 179 /// defines ecdsa-with-SHA512 as 1.2.840.10045.4.3.4. This is encoded as 180 /// below per X.690 § 8.19. 181 const ECDSA_SHA512: &[u8] = [42, 134, 72, 206, 61, 4, 3, 4].as_slice(); 182 /// [RFC 8017 § Appendix C](https://www.rfc-editor.org/rfc/rfc8017#appendix-C) 183 /// defines sha512WithRSAEncryption as 1.2.840.113549.1.1.13. This is encoded as 184 /// below per X.690 § 8.19. 185 const RSA_SHA512: &[u8] = [42, 134, 72, 134, 247, 13, 1, 1, 13].as_slice(); 186 /// [RFC 5912 § 6](https://www.rfc-editor.org/rfc/rfc5912.html#section-6) 187 /// defines ecdsa-with-SHA224 as 1.2.840.10045.4.3.1. This is encoded as 188 /// below per X.690 § 8.19. 189 const ECDSA_SHA224: &[u8] = [42, 134, 72, 206, 61, 4, 3, 1].as_slice(); 190 /// [RFC 8017 § Appendix C](https://www.rfc-editor.org/rfc/rfc8017#appendix-C) 191 /// defines sha224WithRSAEncryption as 1.2.840.113549.1.1.14. This is encoded as 192 /// below per X.690 § 8.19. 193 const RSA_SHA224: &[u8] = [42, 134, 72, 134, 247, 13, 1, 1, 14].as_slice(); 194 /// [RFC 5912 § 6](https://www.rfc-editor.org/rfc/rfc5912.html#section-6) 195 /// defines dsa-with-SHA224 as 2.16.840.1.101.3.4.3.1. This is encoded as 196 /// below per X.690 § 8.19. 197 const DSA_SHA224: &[u8] = [96, 134, 72, 1, 101, 3, 4, 3, 1].as_slice(); 198 // The first octet represents a constructed sequence (i.e., 0x30) and the second octet represents 199 // the (possibly encoded) length of the remaining payload. 200 cert.split_at_checked(2).and_then(|(cert_seq, cert_rem)| { 201 // This won't `panic` since `cert_seq.len() == 2`. 202 // This represents the (possibly encoded) length. 203 // 204 // We don't care about the actual length of the payload. We only care about the number of bytes 205 // we need to skip until the (possibly encoded) length of the constructed sequence of 206 // tbsCertificate. 207 match cert_seq[1] { 208 // The length of the payload is represented with this byte; thus we only need to skip 209 // the constructed sequence byte (i.e., 0x30) of tbsCertificate. 210 ..=127 => Some(1), 211 // The length of the payload is invalid since DER-encoded lengths must use the minimum 212 // number of bytes possible. The high bit is set iff one or more octets are needed to encode 213 // the actual length. The number of octets is represented by the remaining bits; thus this 214 // means there are 0 bytes to encode the length, but then it should have been encoded as 215 // `0` and not `128`. 216 // 217 // 255 is not allowed to be used per § 8.1.3.5. 218 128 | 255 => None, 219 // The remaining bits represent the number of bytes that it takes to encode the length; 220 // thus we subtract 128 and add 1 to account for the constructed sequence byte (i.e., 0x30) 221 // of tbsCertificate. This is the same as just subtracting 127. 222 // 223 // Underflow clearly cannot occur since `len` is at least 129. 224 len @ 129.. => Some(usize::from(len) - 127), 225 } 226 .and_then(|skip| { 227 cert_rem.get(skip..).and_then(|tbs_rem_with_len| { 228 // Remaining payload starting from the (possibly encoded) length of tbsCertificate. 229 tbs_rem_with_len 230 // Extract the (possibly encoded) length of tbsCertificate. 231 .split_first() 232 .and_then(|(tbs_enc_len, tbs_rem)| { 233 // We need to extract how many bytes make up tbsCertificate that way 234 // we can skip it and get to the (possibly encoded) length of 235 // signatureAlgorithm. 236 match *tbs_enc_len { 237 // tbsCertificate is encoded in `len` bytes. We need to skip that many 238 // bytes taking into account the constructed sequence byte (i.e., 0x30) 239 // of signatureAlgorithm. 240 // 241 // This won't overflow since `len` is at most 127; thus this maxes at 128 242 // which is <= `usize::MAX`. 243 len @ ..=127 => Some(usize::from(len) + 1), 244 // The number of bytes tbsCertificate is encoded in takes 1 byte to encode 245 // We get that one byte since that is how many bytes we need to skip taking 246 // into account the byte and the constructed sequence byte (i.e., 0x30) of 247 // signatureAlgorithm. 248 // 249 // This won't overflow since this maxes at 255 + 2 = 257 <= usize::MAX. 250 129 => tbs_rem.first().map(|len| usize::from(*len) + 2), 251 // The number of bytes tbsCertificate is encoded in takes 2 bytes to encode. 252 // We get the two bytes since that is how many bytes we need to skip. 253 130 => tbs_rem.get(..2).and_then(|enc_len| { 254 let mut big_endian_len = [0; 2]; 255 // This won't `panic` since `enc_len.len() == 2`. 256 big_endian_len.copy_from_slice(enc_len); 257 // Multi-byte lengths are encoded in big-endian. 258 u16::from_be_bytes(big_endian_len) 259 // We need to account for the two bytes and the constructed sequence byte 260 // (i.e., 0x30) of signatureAlgorithm. 261 .checked_add(3) 262 // We don't support payloads larger than 65,535 since that is more than 263 // enough for a single certificate. 264 .map(usize::from) 265 }), 266 // We arbitrarily cap the size of payloads we accept to simplify decoding. 267 // If this is more than 130, then the payload is at least 16,777,216 bytes 268 // which is obscenely large for a single certificate. 128 is invalid. 269 _ => None, 270 } 271 .and_then(|tbs_len| { 272 tbs_rem.get(tbs_len..).and_then(|alg_rem_with_len| { 273 // Remaining payload starting from the (possibly encoded) length of 274 // signatureAlgorithm. 275 alg_rem_with_len 276 // Extract the (possibly encoded) length of signatureAlgorithm. 277 .split_first() 278 .and_then(|(alg_enc_len, alg_rem)| { 279 // We need to extract how many bytes make up signatureAlgorithm that way 280 // we can skip it and get to the (possibly encoded) length of algorithm. 281 match *alg_enc_len { 282 // The length of the payload is represented with this byte; thus we 283 // only need to skip the object identifier byte (i.e., 0x06) of 284 // algorithm. 285 ..=127 => Some(1), 286 // The length of the payload is invalid. 287 128 | 255 => None, 288 // The remaining bits represents the number of bytes that it takes to 289 // encode the length; thus we subtract 128 and add 1 to account for 290 // the object identifier byte (i.e., 0x06) of algorithm. 291 // This is the same as just subtracting 127. 292 // 293 // Underflow clearly cannot occur since `len` is at least 129. 294 len @ 129.. => Some(usize::from(len) - 127), 295 } 296 .and_then( 297 |alg_skip| { 298 alg_rem.get(alg_skip..).and_then(|oid_rem| { 299 // Remaining payload starting from the (possibly encoded) 300 // length of algorithm, and we extract the 301 // (possibly encoded) length of algorithm. 302 oid_rem.split_first().and_then( 303 |(oid_enc_len, rem)| { 304 // Extract the algorithm. 305 // Recall we don't care if the certificate is 306 // invalid, and we only support algorithms of 307 // length at most 127. As a result, we treat 308 // `oid_enc_len` as is. 309 rem.get(..usize::from(*oid_enc_len)) 310 .and_then(|oid| match oid { 311 ED25519 | ECDSA_SHA256 312 | RSA_SHA256 | DSA_SHA256 313 // [RFC 5929 § 4.1](https://www.rfc-editor.org/rfc/rfc5929#section-4.1) 314 // mandates that SHA-1 based signatures 315 // use SHA-256. 316 | DSA_SHA1 | RSA_SHA1 => { 317 Some(Self::Sha256( 318 Sha256::digest( 319 cert, 320 ), 321 )) 322 } 323 ECDSA_SHA384 324 | RSA_SHA384 => { 325 Some(Self::Sha384( 326 Sha384::digest( 327 cert, 328 ), 329 )) 330 } 331 ECDSA_SHA512 332 | RSA_SHA512 => { 333 Some(Self::Sha512( 334 Sha512::digest( 335 cert, 336 ), 337 )) 338 } 339 ECDSA_SHA224 340 | RSA_SHA224 341 | DSA_SHA224 => { 342 Some(Self::Sha224( 343 Sha224::digest( 344 cert, 345 ), 346 )) 347 } 348 _ => None, 349 }) 350 }, 351 ) 352 }) 353 }, 354 ) 355 }) 356 }) 357 }) 358 }) 359 }) 360 }) 361 }) 362 } 363 } 364 /// The [`TlsConnector::Stream`] returned from [`TlsConnectorFuture::poll`]. 365 pub struct TlsStream<S>(RustlsStream<S>); 366 impl<S: AsyncRead + AsyncWrite + Unpin> AsyncRead for TlsStream<S> { 367 #[inline] 368 fn poll_read( 369 mut self: Pin<&mut Self>, 370 cx: &mut Context<'_>, 371 buf: &mut ReadBuf<'_>, 372 ) -> Poll<io::Result<()>> { 373 Pin::new(&mut self.0).poll_read(cx, buf) 374 } 375 } 376 impl<S: AsyncRead + AsyncWrite + Unpin> AsyncWrite for TlsStream<S> { 377 #[inline] 378 fn poll_write( 379 mut self: Pin<&mut Self>, 380 cx: &mut Context<'_>, 381 buf: &[u8], 382 ) -> Poll<Result<usize, io::Error>> { 383 Pin::new(&mut self.0).poll_write(cx, buf) 384 } 385 #[inline] 386 fn poll_flush(mut self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<Result<(), io::Error>> { 387 Pin::new(&mut self.0).poll_flush(cx) 388 } 389 #[inline] 390 fn poll_shutdown( 391 mut self: Pin<&mut Self>, 392 cx: &mut Context<'_>, 393 ) -> Poll<Result<(), io::Error>> { 394 Pin::new(&mut self.0).poll_shutdown(cx) 395 } 396 #[inline] 397 fn poll_write_vectored( 398 mut self: Pin<&mut Self>, 399 cx: &mut Context<'_>, 400 bufs: &[IoSlice<'_>], 401 ) -> Poll<Result<usize, io::Error>> { 402 Pin::new(&mut self.0).poll_write_vectored(cx, bufs) 403 } 404 #[inline] 405 fn is_write_vectored(&self) -> bool { 406 self.0.is_write_vectored() 407 } 408 } 409 impl<S: AsyncRead + AsyncWrite + Unpin> PgTlsStream for TlsStream<S> { 410 /// Returns the [`ChannelBinding`] based on the X.509 v3 certificate sent from the PostgreSQL server. 411 /// 412 /// Note when this returns [`ChannelBinding::tls_server_end_point`], it _does not_ mean the certificate 413 /// is valid. In certain circumstances, this will return that even for an invalid certificate. This should 414 /// not matter since the certificate being invalid will cause the certificate to be rejected anyway. When 415 /// the certificate is valid and uses a supported signature algorithm, then this will always return the 416 /// correct value. 417 /// 418 /// The only supported signature algorithms are the following: 419 /// 420 /// * id-Ed25519 421 /// * ecdsa-with-SHA256 422 /// * sha256WithRSAEncryption 423 /// * ecdsa-with-SHA384 424 /// * sha384WithRSAEncryption 425 /// * ecdsa-with-SHA512 426 /// * sha512WithRSAEncryption 427 /// * ecdsa-with-SHA224 428 /// * sha224WithRSAEncryption 429 /// * dsa-with-SHA256 430 /// * dsa-with-SHA224 431 /// * dsa-with-SHA1 432 /// * sha1WithRSAEncryption 433 /// 434 /// Note it is strongly recommended that TLS 1.3 be used; thus while signature algorithms that are not 435 /// part of TLS 1.3 are supported, you should avoid them. 436 /// See [RFC 9266 § 4.2](https://www.rfc-editor.org/rfc/rfc9266#section-4.2). 437 /// Additionally some of the supported signature algorithms may not be supported by PostgreSQL 438 /// (e.g., id-Ed25519). 439 #[expect(clippy::doc_markdown, reason = "PostgreSQL is correct")] 440 #[inline] 441 fn channel_binding(&self) -> ChannelBinding { 442 self.0 443 .get_ref() 444 .1 445 .peer_certificates() 446 .and_then(|certs| { 447 certs.first().and_then(|fst| { 448 Hash::from_der_cert(fst) 449 .map(|hash| ChannelBinding::tls_server_end_point(hash.into())) 450 }) 451 }) 452 .unwrap_or_else(ChannelBinding::none) 453 } 454 } 455 /// [`TlsConnector::Future`] returned from [`TlsConnector::connect`]. 456 pub struct TlsConnectorFuture<S>(Connect<S>); 457 impl<S: AsyncRead + AsyncWrite + Unpin> Future for TlsConnectorFuture<S> { 458 type Output = io::Result<TlsStream<S>>; 459 #[inline] 460 fn poll(mut self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<Self::Output> { 461 Pin::new(&mut self.0).poll(cx).map_ok(TlsStream) 462 } 463 } 464 /// Connects to the PostgreSQL server. 465 #[expect(clippy::doc_markdown, reason = "PostgreSQL is correct")] 466 pub struct TlsConnector<'domain> { 467 /// Used to connect to the PostgreSQL server. 468 #[expect(clippy::doc_markdown, reason = "PostgreSQL is correct")] 469 connector: tokio_rustls::TlsConnector, 470 /// The domain or IP of the PostgreSQL server. 471 #[expect(clippy::doc_markdown, reason = "PostgreSQL is correct")] 472 dom: ServerName<'domain>, 473 } 474 impl<'domain> TlsConnector<'domain> { 475 /// Returns `Self` based on `connector` and `domain`. 476 /// 477 /// # Errors 478 /// 479 /// Errors iff [`ServerName::try_from`] does when passed `domain`. 480 #[inline] 481 pub fn new<'dom: 'domain>( 482 connector: tokio_rustls::TlsConnector, 483 domain: &'dom str, 484 ) -> Result<Self, InvalidDnsNameError> { 485 ServerName::try_from(domain).map(|dom| Self { connector, dom }) 486 } 487 } 488 impl<S: AsyncRead + AsyncWrite + Unpin> PgTlsConnect<S> for TlsConnector<'static> { 489 type Stream = TlsStream<S>; 490 type Error = io::Error; 491 type Future = TlsConnectorFuture<S>; 492 #[inline] 493 fn connect(self, stream: S) -> Self::Future { 494 TlsConnectorFuture(self.connector.connect(self.dom, stream)) 495 } 496 } 497 /// [`MakeTlsConnect`] based on [`tokio_rustls::TlsConnector`]. 498 #[cfg_attr(docsrs, doc(cfg(feature = "runtime")))] 499 #[cfg(feature = "runtime")] 500 #[derive(Clone)] 501 pub struct MakeTlsConnector(tokio_rustls::TlsConnector); 502 #[cfg(feature = "runtime")] 503 impl MakeTlsConnector { 504 /// Constructs `Self` based on `connector`. 505 #[inline] 506 #[must_use] 507 pub const fn new(connector: tokio_rustls::TlsConnector) -> Self { 508 Self(connector) 509 } 510 } 511 #[cfg(feature = "runtime")] 512 impl<S: AsyncRead + AsyncWrite + Unpin> MakeTlsConnect<S> for MakeTlsConnector { 513 type Stream = TlsStream<S>; 514 type TlsConnect = TlsConnector<'static>; 515 type Error = InvalidDnsNameError; 516 #[inline] 517 fn make_tls_connect(&mut self, domain: &str) -> Result<Self::TlsConnect, Self::Error> { 518 ServerName::try_from(domain).map(|dom| TlsConnector { 519 connector: self.0.clone(), 520 dom: dom.to_owned(), 521 }) 522 } 523 } 524 /// Removes any ALPN values and adds the `b"postgresql"` ALPN. 525 #[inline] 526 pub fn set_postgresql_alpn(config: &mut ClientConfig) { 527 config.alpn_protocols.clear(); 528 config.alpn_protocols.push(vec![ 529 b'p', b'o', b's', b't', b'g', b'r', b'e', b's', b'q', b'l', 530 ]); 531 } 532 #[cfg(test)] 533 mod tests { 534 #[cfg(feature = "runtime")] 535 extern crate alloc; 536 use super::Hash; 537 #[cfg(feature = "runtime")] 538 use super::MakeTlsConnector; 539 #[cfg(feature = "runtime")] 540 use alloc::sync::Arc; 541 #[cfg(feature = "runtime")] 542 use core::{ 543 net::{IpAddr, Ipv6Addr}, 544 time::Duration, 545 }; 546 use sha2::{Digest as _, Sha224, Sha256, Sha384, Sha512}; 547 #[cfg(feature = "runtime")] 548 use std::{fs, io::Error}; 549 #[cfg(feature = "runtime")] 550 use tokio::runtime::Builder; 551 #[cfg(feature = "runtime")] 552 use tokio_postgres::{ 553 Config, 554 config::{ChannelBinding, LoadBalanceHosts, SslMode, TargetSessionAttrs}, 555 }; 556 #[cfg(feature = "runtime")] 557 use tokio_rustls::rustls::{ 558 self, ClientConfig, RootCertStore, 559 pki_types::{ 560 CertificateDer, PrivateKeyDer, 561 pem::{Error as PemErr, PemObject as _}, 562 }, 563 version::TLS13, 564 }; 565 #[test] 566 fn test_parse_ed25519() { 567 /// Certificate that uses Ed25519. 568 const CERT: &[u8] = [ 569 48, 130, 1, 125, 48, 130, 1, 47, 160, 3, 2, 1, 2, 2, 1, 29, 48, 5, 6, 3, 43, 101, 112, 570 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 16, 48, 14, 6, 3, 85, 4, 10, 571 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 82, 111, 572 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 48, 52, 56, 48, 53, 90, 23, 13, 573 50, 53, 48, 51, 49, 54, 48, 48, 52, 56, 48, 53, 90, 48, 43, 49, 11, 48, 9, 6, 3, 85, 4, 574 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 84, 101, 115, 116, 49, 13, 575 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 42, 48, 5, 6, 3, 43, 101, 112, 3, 576 33, 0, 142, 168, 95, 146, 122, 142, 177, 52, 239, 161, 27, 41, 80, 58, 167, 248, 211, 577 181, 154, 201, 26, 195, 207, 27, 132, 228, 110, 149, 95, 212, 44, 202, 163, 117, 48, 578 115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 238, 12, 127, 172, 94, 237, 69, 62, 240, 579 99, 1, 2, 35, 161, 201, 129, 19, 85, 0, 227, 48, 12, 6, 3, 85, 29, 19, 1, 1, 255, 4, 2, 580 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85, 29, 37, 1, 1, 581 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29, 35, 4, 24, 48, 582 22, 128, 20, 199, 177, 144, 22, 54, 182, 183, 202, 234, 246, 98, 108, 85, 32, 30, 132, 583 146, 221, 218, 80, 48, 5, 6, 3, 43, 101, 112, 3, 65, 0, 133, 253, 192, 202, 50, 167, 584 57, 5, 246, 17, 58, 232, 188, 41, 147, 232, 35, 206, 147, 181, 0, 139, 95, 3, 24, 139, 585 17, 102, 113, 186, 146, 163, 97, 157, 255, 50, 193, 230, 159, 170, 218, 35, 56, 99, 89, 586 251, 173, 97, 106, 15, 52, 71, 209, 69, 109, 216, 140, 235, 37, 23, 185, 173, 215, 0, 587 ] 588 .as_slice(); 589 assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash { 590 Hash::Sha256(ref hash) => *hash == Sha256::digest(CERT), 591 _ => false, 592 }),); 593 } 594 #[test] 595 fn test_parse_ecdsa_sha256() { 596 /// Certificate that uses ECDSA with SHA-256. 597 const CERT: &[u8] = [ 598 48, 130, 1, 189, 48, 130, 1, 99, 160, 3, 2, 1, 2, 2, 1, 27, 48, 10, 6, 8, 42, 134, 72, 599 206, 61, 4, 3, 2, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 16, 48, 14, 600 6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 3, 85, 4, 3, 601 12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 48, 52, 49, 51, 602 48, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 48, 52, 49, 51, 48, 90, 48, 43, 49, 11, 48, 603 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 84, 101, 115, 604 116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 89, 48, 19, 6, 7, 605 42, 134, 72, 206, 61, 2, 1, 6, 8, 42, 134, 72, 206, 61, 3, 1, 7, 3, 66, 0, 4, 195, 27, 606 22, 133, 220, 98, 146, 255, 201, 209, 114, 117, 93, 119, 207, 46, 228, 132, 210, 187, 607 134, 197, 201, 194, 147, 51, 111, 17, 187, 179, 129, 180, 129, 62, 164, 27, 199, 95, 608 59, 16, 167, 134, 233, 53, 127, 194, 187, 144, 193, 106, 100, 37, 104, 219, 164, 155, 609 58, 210, 106, 12, 192, 247, 72, 183, 163, 117, 48, 115, 48, 29, 6, 3, 85, 29, 14, 4, 610 22, 4, 20, 84, 214, 179, 28, 250, 191, 223, 88, 72, 221, 229, 63, 123, 177, 146, 167, 611 224, 18, 24, 0, 48, 12, 6, 3, 85, 29, 19, 1, 1, 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 612 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85, 29, 37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43, 613 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29, 35, 4, 24, 48, 22, 128, 20, 43, 80, 133, 614 205, 3, 144, 105, 186, 141, 39, 47, 176, 39, 123, 149, 250, 100, 138, 233, 225, 48, 10, 615 6, 8, 42, 134, 72, 206, 61, 4, 3, 2, 3, 72, 0, 48, 69, 2, 32, 107, 43, 12, 27, 111, 616 216, 19, 191, 199, 1, 202, 22, 147, 43, 16, 188, 36, 156, 141, 80, 115, 124, 160, 211, 617 19, 123, 41, 216, 94, 19, 236, 0, 2, 33, 0, 164, 138, 200, 40, 159, 245, 38, 70, 207, 618 160, 121, 19, 56, 240, 18, 222, 191, 196, 217, 129, 24, 92, 238, 43, 39, 29, 57, 85, 619 56, 11, 178, 88, 620 ] 621 .as_slice(); 622 assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash { 623 Hash::Sha256(ref hash) => *hash == Sha256::digest(CERT), 624 _ => false, 625 }),); 626 } 627 #[test] 628 fn test_parse_ecdsa_sha384() { 629 /// Certificate that uses ECDSA with SHA-384. 630 const CERT: &[u8] = [ 631 48, 130, 1, 218, 48, 130, 1, 128, 160, 3, 2, 1, 2, 2, 1, 25, 48, 10, 6, 8, 42, 134, 72, 632 206, 61, 4, 3, 3, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 16, 48, 14, 633 6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 3, 85, 4, 3, 634 12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 48, 51, 57, 51, 635 55, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 48, 51, 57, 51, 55, 90, 48, 43, 49, 11, 48, 636 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 84, 101, 115, 637 116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 118, 48, 16, 6, 7, 638 42, 134, 72, 206, 61, 2, 1, 6, 5, 43, 129, 4, 0, 34, 3, 98, 0, 4, 246, 106, 156, 228, 639 83, 166, 254, 62, 196, 22, 127, 171, 204, 182, 154, 182, 253, 35, 95, 120, 253, 231, 640 78, 20, 146, 203, 186, 201, 147, 48, 197, 96, 195, 202, 5, 235, 201, 168, 28, 117, 62, 641 47, 121, 211, 58, 67, 32, 96, 129, 15, 215, 172, 135, 222, 180, 101, 196, 18, 41, 107, 642 6, 161, 172, 183, 217, 106, 227, 24, 140, 13, 145, 245, 137, 185, 4, 78, 210, 56, 235, 643 159, 203, 241, 203, 239, 39, 90, 98, 227, 215, 221, 119, 65, 47, 68, 2, 200, 163, 117, 644 48, 115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 88, 91, 22, 70, 200, 54, 182, 100, 645 191, 186, 73, 152, 174, 87, 56, 64, 26, 173, 27, 43, 48, 12, 6, 3, 85, 29, 19, 1, 1, 646 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85, 29, 647 37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29, 35, 648 4, 24, 48, 22, 128, 20, 43, 80, 133, 205, 3, 144, 105, 186, 141, 39, 47, 176, 39, 123, 649 149, 250, 100, 138, 233, 225, 48, 10, 6, 8, 42, 134, 72, 206, 61, 4, 3, 3, 3, 72, 0, 650 48, 69, 2, 33, 0, 210, 47, 45, 107, 132, 43, 161, 65, 132, 15, 148, 184, 203, 125, 234, 651 232, 111, 216, 238, 113, 187, 201, 114, 177, 218, 234, 201, 126, 204, 118, 80, 225, 2, 652 32, 67, 111, 72, 96, 182, 167, 191, 130, 118, 105, 253, 133, 58, 38, 65, 112, 234, 3, 653 23, 77, 182, 0, 195, 80, 181, 65, 76, 243, 4, 145, 200, 255, 654 ] 655 .as_slice(); 656 assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash { 657 Hash::Sha384(ref hash) => *hash == Sha384::digest(CERT), 658 _ => false, 659 }),); 660 } 661 #[test] 662 fn test_parse_ecdsa_sha512() { 663 /// Certificate that uses ECDSA with SHA-512. 664 const CERT: &[u8] = [ 665 48, 130, 2, 1, 48, 130, 1, 166, 160, 3, 2, 1, 2, 2, 1, 24, 48, 10, 6, 8, 42, 134, 72, 666 206, 61, 4, 3, 4, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 16, 48, 14, 667 6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 3, 85, 4, 3, 668 12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 48, 51, 56, 51, 669 54, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 48, 51, 56, 51, 54, 90, 48, 43, 49, 11, 48, 670 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 84, 101, 115, 671 116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 129, 155, 48, 16, 6, 672 7, 42, 134, 72, 206, 61, 2, 1, 6, 5, 43, 129, 4, 0, 35, 3, 129, 134, 0, 4, 1, 86, 143, 673 210, 217, 20, 143, 103, 172, 34, 97, 62, 173, 15, 43, 199, 93, 220, 81, 75, 137, 219, 674 111, 217, 127, 6, 8, 115, 160, 121, 146, 138, 64, 110, 14, 193, 98, 164, 226, 208, 89, 675 120, 108, 30, 107, 77, 194, 63, 41, 112, 173, 112, 44, 85, 54, 155, 168, 189, 235, 129, 676 214, 104, 152, 198, 252, 62, 1, 87, 193, 205, 162, 152, 15, 26, 111, 231, 183, 106, 677 145, 29, 251, 188, 148, 239, 192, 53, 186, 34, 13, 104, 231, 85, 127, 17, 67, 54, 116, 678 232, 85, 23, 143, 68, 171, 30, 25, 155, 201, 171, 106, 89, 20, 234, 12, 192, 68, 102, 679 166, 50, 246, 130, 117, 62, 222, 142, 98, 62, 43, 9, 109, 74, 138, 180, 163, 117, 48, 680 115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 148, 160, 104, 250, 171, 155, 48, 171, 13, 681 164, 221, 144, 240, 194, 250, 9, 183, 72, 158, 141, 48, 12, 6, 3, 85, 29, 19, 1, 1, 682 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85, 29, 683 37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29, 35, 684 4, 24, 48, 22, 128, 20, 43, 80, 133, 205, 3, 144, 105, 186, 141, 39, 47, 176, 39, 123, 685 149, 250, 100, 138, 233, 225, 48, 10, 6, 8, 42, 134, 72, 206, 61, 4, 3, 4, 3, 73, 0, 686 48, 70, 2, 33, 0, 179, 24, 50, 50, 127, 141, 167, 197, 29, 35, 234, 81, 215, 112, 233, 687 218, 84, 151, 136, 117, 40, 106, 164, 156, 205, 75, 6, 133, 64, 52, 161, 116, 2, 33, 0, 688 141, 178, 46, 201, 22, 126, 42, 84, 96, 191, 175, 219, 140, 72, 252, 6, 152, 112, 113, 689 232, 38, 101, 11, 215, 20, 143, 22, 199, 38, 237, 179, 108, 690 ] 691 .as_slice(); 692 assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash { 693 Hash::Sha512(ref hash) => *hash == Sha512::digest(CERT), 694 _ => false, 695 }),); 696 } 697 #[test] 698 fn test_parse_ecdsa_sha224() { 699 /// Certificate that uses ECDSA with SHA-224. 700 const CERT: &[u8] = [ 701 48, 130, 1, 178, 48, 130, 1, 88, 160, 3, 2, 1, 2, 2, 1, 28, 48, 10, 6, 8, 42, 134, 72, 702 206, 61, 4, 3, 1, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 16, 48, 14, 703 6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 3, 85, 4, 3, 704 12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 48, 52, 50, 49, 705 52, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 48, 52, 50, 49, 52, 90, 48, 43, 49, 11, 48, 706 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 84, 101, 115, 707 116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 78, 48, 16, 6, 7, 708 42, 134, 72, 206, 61, 2, 1, 6, 5, 43, 129, 4, 0, 33, 3, 58, 0, 4, 235, 241, 149, 78, 709 60, 248, 123, 132, 195, 228, 188, 151, 240, 28, 76, 198, 207, 121, 165, 126, 245, 158, 710 214, 232, 69, 198, 114, 117, 86, 137, 15, 86, 40, 171, 27, 36, 8, 43, 190, 138, 193, 711 136, 118, 43, 29, 119, 182, 21, 14, 123, 110, 81, 81, 72, 44, 195, 163, 117, 48, 115, 712 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 203, 141, 20, 54, 48, 176, 180, 57, 46, 1, 91, 713 221, 116, 154, 205, 81, 187, 184, 24, 211, 48, 12, 6, 3, 85, 29, 19, 1, 1, 255, 4, 2, 714 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85, 29, 37, 1, 1, 715 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29, 35, 4, 24, 48, 716 22, 128, 20, 43, 80, 133, 205, 3, 144, 105, 186, 141, 39, 47, 176, 39, 123, 149, 250, 717 100, 138, 233, 225, 48, 10, 6, 8, 42, 134, 72, 206, 61, 4, 3, 1, 3, 72, 0, 48, 69, 2, 718 32, 64, 186, 179, 226, 82, 176, 87, 158, 166, 22, 31, 27, 19, 190, 112, 167, 241, 159, 719 33, 198, 60, 70, 68, 120, 19, 63, 33, 244, 236, 240, 216, 181, 2, 33, 0, 252, 183, 115, 720 52, 189, 151, 44, 178, 62, 209, 159, 31, 154, 152, 69, 189, 121, 148, 57, 231, 27, 22, 721 165, 212, 65, 202, 124, 15, 53, 150, 93, 183, 722 ] 723 .as_slice(); 724 assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash { 725 Hash::Sha224(ref hash) => *hash == Sha224::digest(CERT), 726 _ => false, 727 }),); 728 } 729 #[test] 730 fn test_parse_rsa_sha256() { 731 /// Certificate that uses RSA with SHA-256. 732 const CERT: &[u8] = [ 733 48, 130, 3, 73, 48, 130, 2, 49, 160, 3, 2, 1, 2, 2, 1, 31, 48, 13, 6, 9, 42, 134, 72, 734 134, 247, 13, 1, 1, 11, 5, 0, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 735 16, 48, 14, 6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 736 3, 85, 4, 3, 12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 49, 737 48, 51, 48, 53, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 49, 48, 51, 48, 53, 90, 48, 43, 738 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 739 84, 101, 115, 116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 130, 740 1, 34, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 1, 5, 0, 3, 130, 1, 15, 0, 48, 741 130, 1, 10, 2, 130, 1, 1, 0, 157, 28, 83, 190, 61, 252, 154, 205, 112, 191, 153, 197, 742 22, 159, 92, 161, 84, 84, 181, 67, 218, 26, 189, 52, 245, 184, 150, 248, 142, 15, 214, 743 118, 205, 243, 107, 45, 103, 205, 9, 198, 129, 115, 7, 195, 115, 131, 34, 244, 217, 42, 744 234, 170, 84, 41, 128, 49, 81, 175, 208, 42, 100, 168, 44, 145, 226, 11, 98, 245, 83, 745 134, 213, 30, 76, 239, 43, 82, 222, 175, 254, 135, 124, 16, 218, 105, 159, 219, 43, 8, 746 109, 1, 228, 16, 190, 160, 28, 100, 120, 245, 100, 164, 45, 128, 181, 238, 152, 227, 747 50, 63, 162, 191, 4, 173, 210, 254, 31, 141, 66, 193, 237, 20, 92, 34, 13, 74, 135, 80, 748 201, 12, 158, 51, 54, 91, 53, 97, 115, 212, 97, 6, 160, 45, 77, 40, 165, 55, 128, 230, 749 105, 31, 76, 197, 211, 111, 197, 169, 167, 136, 2, 249, 117, 65, 127, 163, 217, 169, 750 151, 97, 209, 194, 179, 203, 81, 58, 52, 66, 11, 184, 172, 97, 70, 124, 125, 151, 159, 751 102, 224, 24, 159, 233, 169, 95, 66, 17, 180, 69, 48, 233, 5, 250, 37, 55, 35, 200, 752 212, 225, 197, 240, 19, 22, 106, 101, 171, 190, 135, 3, 75, 157, 240, 149, 107, 208, 753 94, 58, 244, 204, 105, 9, 32, 203, 162, 194, 39, 12, 97, 16, 153, 236, 60, 93, 24, 252, 754 103, 231, 164, 19, 55, 233, 181, 103, 135, 187, 40, 202, 210, 125, 88, 73, 2, 3, 1, 0, 755 1, 163, 117, 48, 115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 91, 156, 56, 249, 82, 5, 756 5, 2, 2, 21, 57, 237, 90, 8, 188, 55, 139, 113, 229, 132, 48, 12, 6, 3, 85, 29, 19, 1, 757 1, 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85, 758 29, 37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29, 759 35, 4, 24, 48, 22, 128, 20, 96, 178, 34, 145, 205, 104, 56, 196, 211, 241, 34, 247, 760 125, 194, 215, 110, 191, 133, 151, 15, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 761 11, 5, 0, 3, 130, 1, 1, 0, 28, 109, 109, 197, 99, 197, 36, 180, 154, 215, 173, 215, 24, 762 94, 47, 218, 147, 163, 179, 123, 248, 3, 144, 109, 173, 207, 49, 113, 249, 188, 31, 763 178, 16, 88, 88, 56, 11, 86, 127, 193, 23, 165, 65, 190, 84, 170, 156, 190, 52, 87, 764 119, 213, 106, 184, 11, 204, 151, 148, 205, 100, 233, 46, 170, 45, 161, 100, 58, 46, 765 105, 25, 150, 78, 146, 41, 100, 125, 203, 214, 238, 104, 251, 25, 183, 66, 102, 241, 766 110, 56, 55, 205, 122, 234, 205, 90, 91, 247, 143, 129, 217, 6, 190, 120, 18, 190, 11, 767 121, 207, 142, 170, 57, 236, 243, 113, 53, 167, 188, 26, 134, 175, 107, 195, 48, 119, 768 78, 117, 157, 104, 247, 65, 122, 153, 234, 166, 88, 142, 228, 25, 120, 243, 51, 111, 8, 769 43, 199, 255, 162, 186, 18, 64, 54, 96, 44, 138, 144, 237, 89, 176, 189, 245, 194, 96, 770 232, 196, 0, 50, 51, 98, 32, 163, 177, 130, 113, 41, 116, 33, 40, 190, 111, 79, 108, 771 107, 159, 65, 87, 222, 173, 170, 39, 29, 97, 240, 107, 130, 101, 247, 123, 85, 123, 772 247, 221, 89, 159, 114, 157, 35, 153, 22, 127, 149, 224, 158, 236, 4, 137, 193, 135, 773 136, 97, 222, 83, 232, 205, 148, 127, 139, 78, 220, 10, 183, 139, 205, 190, 181, 36, 774 61, 155, 88, 163, 50, 120, 153, 41, 182, 75, 219, 95, 25, 40, 229, 106, 87, 215, 77, 775 50, 219, 97, 776 ] 777 .as_slice(); 778 assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash { 779 Hash::Sha256(ref hash) => *hash == Sha256::digest(CERT), 780 _ => false, 781 }),); 782 } 783 #[test] 784 fn test_parse_rsa_sha384() { 785 /// Certificate that uses RSA with SHA-384. 786 const CERT: &[u8] = [ 787 48, 130, 3, 73, 48, 130, 2, 49, 160, 3, 2, 1, 2, 2, 1, 32, 48, 13, 6, 9, 42, 134, 72, 788 134, 247, 13, 1, 1, 12, 5, 0, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 789 16, 48, 14, 6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 790 3, 85, 4, 3, 12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 49, 791 48, 53, 52, 54, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 49, 48, 53, 52, 54, 90, 48, 43, 792 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 793 84, 101, 115, 116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 130, 794 1, 34, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 1, 5, 0, 3, 130, 1, 15, 0, 48, 795 130, 1, 10, 2, 130, 1, 1, 0, 157, 28, 83, 190, 61, 252, 154, 205, 112, 191, 153, 197, 796 22, 159, 92, 161, 84, 84, 181, 67, 218, 26, 189, 52, 245, 184, 150, 248, 142, 15, 214, 797 118, 205, 243, 107, 45, 103, 205, 9, 198, 129, 115, 7, 195, 115, 131, 34, 244, 217, 42, 798 234, 170, 84, 41, 128, 49, 81, 175, 208, 42, 100, 168, 44, 145, 226, 11, 98, 245, 83, 799 134, 213, 30, 76, 239, 43, 82, 222, 175, 254, 135, 124, 16, 218, 105, 159, 219, 43, 8, 800 109, 1, 228, 16, 190, 160, 28, 100, 120, 245, 100, 164, 45, 128, 181, 238, 152, 227, 801 50, 63, 162, 191, 4, 173, 210, 254, 31, 141, 66, 193, 237, 20, 92, 34, 13, 74, 135, 80, 802 201, 12, 158, 51, 54, 91, 53, 97, 115, 212, 97, 6, 160, 45, 77, 40, 165, 55, 128, 230, 803 105, 31, 76, 197, 211, 111, 197, 169, 167, 136, 2, 249, 117, 65, 127, 163, 217, 169, 804 151, 97, 209, 194, 179, 203, 81, 58, 52, 66, 11, 184, 172, 97, 70, 124, 125, 151, 159, 805 102, 224, 24, 159, 233, 169, 95, 66, 17, 180, 69, 48, 233, 5, 250, 37, 55, 35, 200, 806 212, 225, 197, 240, 19, 22, 106, 101, 171, 190, 135, 3, 75, 157, 240, 149, 107, 208, 807 94, 58, 244, 204, 105, 9, 32, 203, 162, 194, 39, 12, 97, 16, 153, 236, 60, 93, 24, 252, 808 103, 231, 164, 19, 55, 233, 181, 103, 135, 187, 40, 202, 210, 125, 88, 73, 2, 3, 1, 0, 809 1, 163, 117, 48, 115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 91, 156, 56, 249, 82, 5, 810 5, 2, 2, 21, 57, 237, 90, 8, 188, 55, 139, 113, 229, 132, 48, 12, 6, 3, 85, 29, 19, 1, 811 1, 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85, 812 29, 37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29, 813 35, 4, 24, 48, 22, 128, 20, 96, 178, 34, 145, 205, 104, 56, 196, 211, 241, 34, 247, 814 125, 194, 215, 110, 191, 133, 151, 15, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 815 12, 5, 0, 3, 130, 1, 1, 0, 135, 249, 101, 184, 225, 162, 164, 193, 23, 81, 98, 221, 816 134, 87, 34, 94, 229, 131, 221, 17, 38, 61, 156, 200, 113, 94, 244, 188, 226, 84, 74, 817 96, 205, 237, 230, 242, 168, 238, 178, 133, 68, 188, 80, 244, 60, 42, 169, 54, 66, 79, 818 104, 66, 251, 27, 240, 108, 16, 46, 175, 62, 240, 194, 7, 181, 238, 211, 118, 149, 150, 819 46, 97, 39, 28, 173, 225, 49, 73, 206, 147, 101, 12, 192, 218, 119, 208, 73, 20, 208, 820 229, 216, 133, 213, 28, 165, 70, 20, 158, 114, 223, 40, 121, 13, 236, 218, 165, 237, 821 164, 196, 94, 80, 120, 49, 212, 241, 213, 197, 201, 104, 67, 223, 130, 148, 197, 251, 822 199, 167, 6, 89, 146, 139, 141, 32, 78, 72, 190, 146, 94, 251, 208, 47, 118, 173, 111, 823 92, 241, 102, 26, 233, 145, 46, 220, 230, 5, 147, 220, 92, 240, 133, 24, 192, 71, 49, 824 252, 84, 163, 132, 34, 139, 12, 106, 4, 189, 151, 37, 34, 123, 26, 42, 84, 46, 232, 14, 825 129, 101, 84, 26, 25, 219, 11, 115, 214, 106, 12, 75, 199, 248, 218, 239, 209, 32, 159, 826 40, 192, 11, 2, 175, 51, 232, 20, 8, 72, 188, 184, 177, 22, 251, 238, 42, 74, 21, 25, 827 93, 77, 184, 5, 207, 101, 98, 60, 214, 173, 169, 56, 54, 211, 167, 55, 34, 14, 184, 25, 828 4, 170, 108, 94, 110, 27, 45, 11, 22, 61, 130, 63, 214, 168, 72, 829 ] 830 .as_slice(); 831 assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash { 832 Hash::Sha384(ref hash) => *hash == Sha384::digest(CERT), 833 _ => false, 834 }),); 835 } 836 #[test] 837 fn test_parse_rsa_sha512() { 838 /// Certificate that uses RSA with SHA-512. 839 const CERT: &[u8] = [ 840 48, 130, 3, 73, 48, 130, 2, 49, 160, 3, 2, 1, 2, 2, 1, 33, 48, 13, 6, 9, 42, 134, 72, 841 134, 247, 13, 1, 1, 13, 5, 0, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 842 16, 48, 14, 6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 843 3, 85, 4, 3, 12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 49, 844 48, 54, 52, 53, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 49, 48, 54, 52, 53, 90, 48, 43, 845 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 846 84, 101, 115, 116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 130, 847 1, 34, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 1, 5, 0, 3, 130, 1, 15, 0, 48, 848 130, 1, 10, 2, 130, 1, 1, 0, 157, 28, 83, 190, 61, 252, 154, 205, 112, 191, 153, 197, 849 22, 159, 92, 161, 84, 84, 181, 67, 218, 26, 189, 52, 245, 184, 150, 248, 142, 15, 214, 850 118, 205, 243, 107, 45, 103, 205, 9, 198, 129, 115, 7, 195, 115, 131, 34, 244, 217, 42, 851 234, 170, 84, 41, 128, 49, 81, 175, 208, 42, 100, 168, 44, 145, 226, 11, 98, 245, 83, 852 134, 213, 30, 76, 239, 43, 82, 222, 175, 254, 135, 124, 16, 218, 105, 159, 219, 43, 8, 853 109, 1, 228, 16, 190, 160, 28, 100, 120, 245, 100, 164, 45, 128, 181, 238, 152, 227, 854 50, 63, 162, 191, 4, 173, 210, 254, 31, 141, 66, 193, 237, 20, 92, 34, 13, 74, 135, 80, 855 201, 12, 158, 51, 54, 91, 53, 97, 115, 212, 97, 6, 160, 45, 77, 40, 165, 55, 128, 230, 856 105, 31, 76, 197, 211, 111, 197, 169, 167, 136, 2, 249, 117, 65, 127, 163, 217, 169, 857 151, 97, 209, 194, 179, 203, 81, 58, 52, 66, 11, 184, 172, 97, 70, 124, 125, 151, 159, 858 102, 224, 24, 159, 233, 169, 95, 66, 17, 180, 69, 48, 233, 5, 250, 37, 55, 35, 200, 859 212, 225, 197, 240, 19, 22, 106, 101, 171, 190, 135, 3, 75, 157, 240, 149, 107, 208, 860 94, 58, 244, 204, 105, 9, 32, 203, 162, 194, 39, 12, 97, 16, 153, 236, 60, 93, 24, 252, 861 103, 231, 164, 19, 55, 233, 181, 103, 135, 187, 40, 202, 210, 125, 88, 73, 2, 3, 1, 0, 862 1, 163, 117, 48, 115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 91, 156, 56, 249, 82, 5, 863 5, 2, 2, 21, 57, 237, 90, 8, 188, 55, 139, 113, 229, 132, 48, 12, 6, 3, 85, 29, 19, 1, 864 1, 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85, 865 29, 37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29, 866 35, 4, 24, 48, 22, 128, 20, 96, 178, 34, 145, 205, 104, 56, 196, 211, 241, 34, 247, 867 125, 194, 215, 110, 191, 133, 151, 15, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 868 13, 5, 0, 3, 130, 1, 1, 0, 106, 7, 136, 82, 232, 55, 0, 98, 9, 211, 201, 57, 239, 67, 869 167, 139, 225, 164, 231, 255, 10, 52, 47, 234, 254, 75, 239, 241, 39, 6, 226, 209, 210, 870 169, 200, 32, 255, 83, 159, 23, 146, 9, 109, 173, 236, 216, 253, 199, 229, 23, 227, 33, 871 56, 98, 109, 59, 2, 167, 29, 118, 251, 82, 193, 39, 244, 191, 166, 194, 160, 105, 197, 872 190, 213, 141, 193, 50, 45, 245, 163, 229, 116, 221, 29, 194, 91, 198, 187, 21, 224, 873 95, 17, 203, 148, 160, 4, 15, 54, 249, 69, 12, 18, 25, 58, 190, 205, 44, 157, 184, 1, 874 25, 64, 219, 237, 196, 33, 101, 255, 146, 232, 112, 247, 214, 174, 252, 152, 146, 142, 875 231, 81, 35, 240, 216, 98, 136, 65, 179, 237, 207, 229, 198, 72, 175, 244, 31, 126, 876 106, 107, 100, 200, 81, 227, 41, 61, 26, 122, 226, 121, 219, 131, 212, 206, 238, 14, 877 210, 70, 60, 107, 115, 214, 67, 180, 133, 157, 114, 138, 63, 249, 71, 235, 41, 246, 14, 878 14, 4, 254, 208, 215, 111, 196, 248, 117, 61, 44, 67, 185, 11, 132, 10, 188, 220, 110, 879 78, 61, 171, 88, 172, 161, 1, 223, 52, 75, 101, 55, 249, 125, 178, 141, 127, 0, 246, 880 176, 34, 120, 93, 214, 37, 210, 148, 217, 149, 255, 63, 32, 58, 8, 71, 179, 62, 119, 881 14, 47, 191, 207, 137, 22, 255, 21, 71, 46, 42, 176, 31, 206, 146, 248, 105, 882 ] 883 .as_slice(); 884 assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash { 885 Hash::Sha512(ref hash) => *hash == Sha512::digest(CERT), 886 _ => false, 887 }),); 888 } 889 #[test] 890 fn test_parse_rsa_sha224() { 891 /// Certificate that uses RSA with SHA-224. 892 const CERT: &[u8] = [ 893 48, 130, 3, 73, 48, 130, 2, 49, 160, 3, 2, 1, 2, 2, 1, 30, 48, 13, 6, 9, 42, 134, 72, 894 134, 247, 13, 1, 1, 14, 5, 0, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 895 16, 48, 14, 6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 896 3, 85, 4, 3, 12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 48, 897 53, 57, 50, 56, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 48, 53, 57, 50, 56, 90, 48, 43, 898 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 899 84, 101, 115, 116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 130, 900 1, 34, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 1, 5, 0, 3, 130, 1, 15, 0, 48, 901 130, 1, 10, 2, 130, 1, 1, 0, 157, 28, 83, 190, 61, 252, 154, 205, 112, 191, 153, 197, 902 22, 159, 92, 161, 84, 84, 181, 67, 218, 26, 189, 52, 245, 184, 150, 248, 142, 15, 214, 903 118, 205, 243, 107, 45, 103, 205, 9, 198, 129, 115, 7, 195, 115, 131, 34, 244, 217, 42, 904 234, 170, 84, 41, 128, 49, 81, 175, 208, 42, 100, 168, 44, 145, 226, 11, 98, 245, 83, 905 134, 213, 30, 76, 239, 43, 82, 222, 175, 254, 135, 124, 16, 218, 105, 159, 219, 43, 8, 906 109, 1, 228, 16, 190, 160, 28, 100, 120, 245, 100, 164, 45, 128, 181, 238, 152, 227, 907 50, 63, 162, 191, 4, 173, 210, 254, 31, 141, 66, 193, 237, 20, 92, 34, 13, 74, 135, 80, 908 201, 12, 158, 51, 54, 91, 53, 97, 115, 212, 97, 6, 160, 45, 77, 40, 165, 55, 128, 230, 909 105, 31, 76, 197, 211, 111, 197, 169, 167, 136, 2, 249, 117, 65, 127, 163, 217, 169, 910 151, 97, 209, 194, 179, 203, 81, 58, 52, 66, 11, 184, 172, 97, 70, 124, 125, 151, 159, 911 102, 224, 24, 159, 233, 169, 95, 66, 17, 180, 69, 48, 233, 5, 250, 37, 55, 35, 200, 912 212, 225, 197, 240, 19, 22, 106, 101, 171, 190, 135, 3, 75, 157, 240, 149, 107, 208, 913 94, 58, 244, 204, 105, 9, 32, 203, 162, 194, 39, 12, 97, 16, 153, 236, 60, 93, 24, 252, 914 103, 231, 164, 19, 55, 233, 181, 103, 135, 187, 40, 202, 210, 125, 88, 73, 2, 3, 1, 0, 915 1, 163, 117, 48, 115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 91, 156, 56, 249, 82, 5, 916 5, 2, 2, 21, 57, 237, 90, 8, 188, 55, 139, 113, 229, 132, 48, 12, 6, 3, 85, 29, 19, 1, 917 1, 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85, 918 29, 37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29, 919 35, 4, 24, 48, 22, 128, 20, 96, 178, 34, 145, 205, 104, 56, 196, 211, 241, 34, 247, 920 125, 194, 215, 110, 191, 133, 151, 15, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 921 14, 5, 0, 3, 130, 1, 1, 0, 122, 121, 0, 201, 250, 195, 66, 213, 60, 117, 213, 188, 93, 922 193, 88, 130, 241, 219, 111, 238, 109, 38, 220, 131, 164, 12, 135, 169, 58, 140, 214, 923 211, 93, 51, 204, 242, 10, 119, 123, 23, 69, 67, 135, 151, 245, 23, 144, 61, 233, 229, 924 122, 189, 111, 89, 190, 100, 251, 86, 185, 246, 40, 121, 190, 192, 199, 119, 232, 209, 925 202, 23, 20, 46, 48, 235, 175, 240, 225, 106, 6, 24, 239, 172, 51, 196, 63, 189, 210, 926 167, 244, 87, 245, 193, 130, 33, 171, 165, 117, 180, 25, 250, 21, 6, 208, 124, 254, 64, 927 180, 50, 124, 234, 179, 121, 183, 0, 71, 118, 28, 115, 86, 117, 60, 96, 164, 33, 54, 1, 928 86, 234, 132, 146, 156, 221, 52, 28, 39, 237, 128, 75, 157, 169, 203, 26, 48, 74, 4, 929 129, 162, 139, 235, 16, 74, 236, 151, 0, 150, 234, 246, 204, 180, 240, 31, 92, 129, 51, 930 221, 118, 10, 192, 140, 32, 33, 21, 223, 113, 35, 86, 47, 236, 159, 252, 52, 185, 41, 931 151, 56, 126, 251, 165, 126, 214, 27, 213, 169, 211, 174, 26, 55, 21, 11, 187, 189, 96, 932 67, 141, 124, 178, 51, 37, 80, 17, 220, 210, 193, 243, 127, 46, 82, 75, 172, 187, 156, 933 222, 186, 3, 13, 194, 104, 234, 131, 96, 99, 34, 1, 61, 149, 219, 33, 227, 34, 215, 934 211, 82, 106, 57, 61, 185, 178, 1, 191, 14, 196, 52, 5, 38, 27, 232, 935 ] 936 .as_slice(); 937 assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash { 938 Hash::Sha224(ref hash) => *hash == Sha224::digest(CERT), 939 _ => false, 940 }),); 941 } 942 #[test] 943 fn test_parse_rsa_sha1() { 944 /// Certificate that uses RSA with SHA-1. 945 const CERT: &[u8] = [ 946 48, 130, 3, 73, 48, 130, 2, 49, 160, 3, 2, 1, 2, 2, 1, 34, 48, 13, 6, 9, 42, 134, 72, 947 134, 247, 13, 1, 1, 5, 5, 0, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 948 16, 48, 14, 6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 949 3, 85, 4, 3, 12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 49, 950 48, 57, 50, 56, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 49, 48, 57, 50, 56, 90, 48, 43, 951 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 952 84, 101, 115, 116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 130, 953 1, 34, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 1, 5, 0, 3, 130, 1, 15, 0, 48, 954 130, 1, 10, 2, 130, 1, 1, 0, 157, 28, 83, 190, 61, 252, 154, 205, 112, 191, 153, 197, 955 22, 159, 92, 161, 84, 84, 181, 67, 218, 26, 189, 52, 245, 184, 150, 248, 142, 15, 214, 956 118, 205, 243, 107, 45, 103, 205, 9, 198, 129, 115, 7, 195, 115, 131, 34, 244, 217, 42, 957 234, 170, 84, 41, 128, 49, 81, 175, 208, 42, 100, 168, 44, 145, 226, 11, 98, 245, 83, 958 134, 213, 30, 76, 239, 43, 82, 222, 175, 254, 135, 124, 16, 218, 105, 159, 219, 43, 8, 959 109, 1, 228, 16, 190, 160, 28, 100, 120, 245, 100, 164, 45, 128, 181, 238, 152, 227, 960 50, 63, 162, 191, 4, 173, 210, 254, 31, 141, 66, 193, 237, 20, 92, 34, 13, 74, 135, 80, 961 201, 12, 158, 51, 54, 91, 53, 97, 115, 212, 97, 6, 160, 45, 77, 40, 165, 55, 128, 230, 962 105, 31, 76, 197, 211, 111, 197, 169, 167, 136, 2, 249, 117, 65, 127, 163, 217, 169, 963 151, 97, 209, 194, 179, 203, 81, 58, 52, 66, 11, 184, 172, 97, 70, 124, 125, 151, 159, 964 102, 224, 24, 159, 233, 169, 95, 66, 17, 180, 69, 48, 233, 5, 250, 37, 55, 35, 200, 965 212, 225, 197, 240, 19, 22, 106, 101, 171, 190, 135, 3, 75, 157, 240, 149, 107, 208, 966 94, 58, 244, 204, 105, 9, 32, 203, 162, 194, 39, 12, 97, 16, 153, 236, 60, 93, 24, 252, 967 103, 231, 164, 19, 55, 233, 181, 103, 135, 187, 40, 202, 210, 125, 88, 73, 2, 3, 1, 0, 968 1, 163, 117, 48, 115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 91, 156, 56, 249, 82, 5, 969 5, 2, 2, 21, 57, 237, 90, 8, 188, 55, 139, 113, 229, 132, 48, 12, 6, 3, 85, 29, 19, 1, 970 1, 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85, 971 29, 37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29, 972 35, 4, 24, 48, 22, 128, 20, 96, 178, 34, 145, 205, 104, 56, 196, 211, 241, 34, 247, 973 125, 194, 215, 110, 191, 133, 151, 15, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 974 5, 5, 0, 3, 130, 1, 1, 0, 12, 93, 61, 154, 152, 205, 44, 219, 157, 214, 4, 162, 93, 85, 975 60, 231, 231, 206, 193, 160, 133, 28, 61, 113, 102, 120, 137, 120, 175, 11, 244, 113, 976 217, 81, 151, 123, 210, 108, 156, 145, 99, 158, 104, 10, 25, 129, 95, 128, 140, 44, 977 153, 65, 175, 32, 37, 189, 186, 43, 101, 153, 98, 160, 95, 13, 154, 86, 221, 99, 210, 978 157, 25, 41, 98, 79, 252, 2, 8, 221, 120, 71, 54, 221, 34, 180, 109, 181, 185, 58, 2, 979 119, 167, 50, 172, 167, 192, 136, 24, 227, 40, 211, 18, 98, 2, 175, 174, 42, 100, 136, 980 83, 116, 7, 50, 50, 215, 164, 90, 49, 231, 106, 240, 246, 95, 236, 60, 198, 97, 200, 981 140, 23, 168, 183, 174, 132, 39, 251, 61, 112, 226, 66, 68, 16, 23, 213, 129, 86, 196, 982 248, 82, 141, 82, 107, 246, 224, 37, 94, 95, 134, 139, 75, 15, 70, 54, 47, 80, 19, 143, 983 48, 171, 113, 130, 226, 180, 39, 18, 44, 117, 113, 196, 20, 11, 82, 174, 251, 197, 216, 984 152, 229, 188, 148, 191, 165, 149, 50, 127, 172, 111, 95, 194, 63, 238, 112, 154, 85, 985 98, 18, 236, 13, 123, 232, 90, 47, 180, 36, 148, 77, 192, 45, 113, 150, 10, 254, 99, 0, 986 30, 87, 80, 22, 61, 78, 66, 180, 251, 220, 8, 78, 175, 251, 27, 201, 79, 197, 45, 127, 987 143, 163, 7, 252, 246, 45, 127, 87, 224, 125, 175, 245, 115, 988 ] 989 .as_slice(); 990 assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash { 991 Hash::Sha256(ref hash) => *hash == Sha256::digest(CERT), 992 _ => false, 993 }),); 994 } 995 #[test] 996 fn test_parse_dsa_sha256() { 997 /// Certificate that uses DSA with SHA-256. 998 const CERT: &[u8] = [ 999 48, 130, 4, 162, 48, 130, 4, 79, 160, 3, 2, 1, 2, 2, 1, 37, 48, 11, 6, 9, 96, 134, 72, 1000 1, 101, 3, 4, 3, 2, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 16, 48, 1001 14, 6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 3, 85, 4, 1002 3, 12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 49, 50, 51, 1003 48, 51, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 49, 50, 51, 48, 51, 90, 48, 43, 49, 11, 1004 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 84, 101, 1005 115, 116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 130, 3, 66, 48, 1006 130, 2, 53, 6, 7, 42, 134, 72, 206, 56, 4, 1, 48, 130, 2, 40, 2, 130, 1, 1, 0, 172, 11, 1007 194, 123, 239, 38, 183, 160, 91, 74, 179, 251, 72, 80, 38, 223, 195, 46, 238, 2, 67, 1008 45, 138, 58, 62, 57, 85, 203, 148, 194, 164, 178, 195, 150, 29, 93, 245, 157, 225, 189, 1009 125, 209, 186, 83, 234, 14, 179, 116, 156, 216, 112, 205, 152, 26, 168, 175, 111, 106, 1010 249, 235, 49, 40, 246, 31, 152, 214, 59, 117, 64, 109, 28, 167, 222, 155, 132, 192, 1011 180, 240, 8, 80, 209, 209, 119, 53, 165, 51, 189, 18, 158, 176, 171, 45, 160, 54, 8, 1012 75, 146, 92, 245, 202, 188, 144, 36, 156, 127, 140, 220, 144, 56, 95, 38, 112, 44, 221, 1013 159, 9, 159, 189, 153, 150, 88, 84, 73, 138, 6, 73, 141, 17, 28, 110, 159, 141, 21, 1014 232, 13, 90, 130, 251, 177, 168, 242, 201, 222, 138, 182, 233, 142, 229, 24, 47, 186, 1015 56, 245, 177, 250, 253, 2, 11, 115, 29, 6, 156, 168, 117, 22, 15, 152, 183, 137, 25, 1016 188, 24, 22, 120, 195, 17, 97, 16, 85, 234, 95, 53, 156, 244, 146, 53, 183, 235, 71, 1017 24, 163, 139, 70, 227, 235, 154, 229, 210, 144, 81, 231, 161, 120, 117, 182, 245, 175, 1018 25, 252, 21, 153, 130, 211, 180, 209, 164, 34, 248, 167, 8, 98, 181, 69, 52, 74, 120, 1019 227, 165, 16, 172, 42, 107, 248, 42, 225, 46, 80, 11, 117, 92, 225, 27, 86, 4, 226, 29, 1020 85, 105, 208, 193, 120, 112, 39, 226, 20, 141, 2, 29, 0, 186, 229, 13, 141, 5, 89, 173, 1021 164, 148, 130, 205, 229, 23, 44, 125, 234, 49, 240, 196, 213, 6, 31, 233, 8, 99, 80, 1022 166, 239, 2, 130, 1, 0, 106, 152, 3, 177, 77, 235, 201, 25, 36, 150, 146, 246, 50, 67, 1023 97, 96, 245, 207, 14, 200, 60, 16, 229, 114, 211, 111, 193, 226, 252, 153, 176, 159, 1024 198, 41, 133, 157, 197, 38, 112, 217, 9, 205, 13, 85, 170, 94, 89, 60, 214, 117, 182, 1025 163, 81, 138, 122, 250, 48, 98, 43, 60, 186, 203, 147, 60, 74, 110, 89, 216, 73, 4, 1026 191, 1, 158, 174, 98, 201, 184, 25, 162, 239, 244, 139, 154, 173, 108, 135, 124, 166, 1027 152, 88, 237, 68, 145, 252, 33, 40, 237, 57, 53, 155, 215, 56, 12, 202, 22, 225, 7, 89, 1028 24, 245, 195, 164, 36, 172, 98, 26, 115, 10, 71, 27, 21, 255, 62, 212, 202, 71, 147, 1029 229, 6, 181, 19, 107, 136, 223, 239, 164, 243, 254, 101, 208, 122, 226, 150, 17, 251, 1030 218, 85, 169, 81, 177, 7, 190, 171, 230, 26, 149, 183, 181, 113, 140, 252, 212, 172, 1031 154, 200, 118, 69, 156, 108, 144, 11, 201, 135, 175, 19, 201, 116, 9, 80, 20, 19, 89, 1032 151, 198, 204, 253, 10, 155, 101, 159, 81, 190, 174, 58, 220, 250, 220, 212, 42, 111, 1033 33, 204, 114, 7, 30, 153, 73, 248, 209, 114, 36, 225, 6, 47, 106, 45, 226, 254, 175, 1034 201, 138, 254, 121, 184, 19, 143, 48, 67, 179, 99, 250, 189, 237, 58, 249, 194, 167, 1035 149, 162, 219, 27, 53, 67, 135, 193, 204, 253, 176, 245, 2, 211, 58, 176, 69, 14, 186, 1036 3, 130, 1, 5, 0, 2, 130, 1, 0, 97, 40, 15, 97, 210, 23, 118, 85, 75, 191, 251, 126, 1037 171, 47, 188, 57, 40, 41, 85, 48, 206, 169, 253, 233, 146, 161, 39, 232, 242, 19, 219, 1038 191, 172, 82, 78, 132, 153, 238, 120, 228, 99, 199, 197, 181, 74, 191, 123, 189, 80, 1039 203, 219, 50, 184, 193, 49, 160, 9, 41, 167, 133, 33, 151, 52, 196, 61, 29, 102, 233, 1040 163, 249, 121, 248, 55, 144, 215, 55, 89, 142, 137, 249, 67, 112, 167, 42, 255, 67, 56, 1041 179, 106, 187, 79, 87, 54, 118, 186, 154, 48, 150, 204, 222, 102, 135, 254, 202, 9, 1042 166, 229, 176, 130, 37, 174, 139, 240, 43, 134, 75, 141, 35, 163, 203, 71, 153, 217, 1043 71, 181, 79, 35, 114, 55, 124, 20, 55, 110, 112, 223, 109, 239, 183, 210, 141, 59, 88, 1044 47, 40, 167, 154, 90, 99, 250, 146, 29, 226, 10, 70, 103, 246, 209, 36, 174, 177, 164, 1045 244, 126, 153, 106, 156, 92, 143, 140, 46, 49, 184, 125, 160, 246, 145, 178, 94, 11, 1046 153, 128, 59, 210, 11, 210, 42, 3, 138, 136, 147, 115, 96, 190, 68, 128, 25, 47, 26, 1047 231, 183, 247, 89, 28, 67, 220, 235, 88, 4, 228, 140, 148, 10, 98, 104, 101, 60, 115, 1048 39, 219, 183, 111, 62, 93, 133, 141, 219, 252, 51, 66, 224, 115, 158, 85, 46, 13, 171, 1049 31, 5, 210, 83, 68, 61, 92, 87, 241, 1, 215, 144, 233, 243, 68, 238, 197, 62, 54, 68, 1050 163, 117, 48, 115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 153, 40, 244, 111, 22, 53, 1051 83, 33, 46, 24, 242, 81, 89, 121, 91, 97, 190, 144, 138, 150, 48, 12, 6, 3, 85, 29, 19, 1052 1, 1, 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85, 1053 29, 37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29, 1054 35, 4, 24, 48, 22, 128, 20, 230, 93, 24, 66, 42, 224, 216, 63, 210, 30, 74, 173, 48, 1055 16, 195, 8, 166, 231, 232, 253, 48, 11, 6, 9, 96, 134, 72, 1, 101, 3, 4, 3, 2, 3, 64, 1056 0, 48, 61, 2, 28, 116, 130, 114, 201, 119, 192, 122, 114, 52, 255, 182, 233, 56, 153, 1057 169, 135, 12, 49, 236, 107, 72, 244, 178, 174, 32, 27, 13, 226, 2, 29, 0, 170, 35, 77, 1058 179, 10, 59, 85, 118, 124, 99, 48, 21, 125, 235, 57, 27, 60, 222, 102, 120, 20, 16, 1059 148, 80, 118, 28, 75, 176, 1060 ] 1061 .as_slice(); 1062 assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash { 1063 Hash::Sha256(ref hash) => *hash == Sha256::digest(CERT), 1064 _ => false, 1065 }),); 1066 } 1067 #[test] 1068 fn test_parse_dsa_sha224() { 1069 /// Certificate that uses DSA with SHA-224. 1070 const CERT: &[u8] = [ 1071 48, 130, 4, 163, 48, 130, 4, 79, 160, 3, 2, 1, 2, 2, 1, 36, 48, 11, 6, 9, 96, 134, 72, 1072 1, 101, 3, 4, 3, 1, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 16, 48, 1073 14, 6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 3, 85, 4, 1074 3, 12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 49, 50, 50, 1075 50, 53, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 49, 50, 50, 50, 53, 90, 48, 43, 49, 11, 1076 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 84, 101, 1077 115, 116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 130, 3, 66, 48, 1078 130, 2, 53, 6, 7, 42, 134, 72, 206, 56, 4, 1, 48, 130, 2, 40, 2, 130, 1, 1, 0, 172, 11, 1079 194, 123, 239, 38, 183, 160, 91, 74, 179, 251, 72, 80, 38, 223, 195, 46, 238, 2, 67, 1080 45, 138, 58, 62, 57, 85, 203, 148, 194, 164, 178, 195, 150, 29, 93, 245, 157, 225, 189, 1081 125, 209, 186, 83, 234, 14, 179, 116, 156, 216, 112, 205, 152, 26, 168, 175, 111, 106, 1082 249, 235, 49, 40, 246, 31, 152, 214, 59, 117, 64, 109, 28, 167, 222, 155, 132, 192, 1083 180, 240, 8, 80, 209, 209, 119, 53, 165, 51, 189, 18, 158, 176, 171, 45, 160, 54, 8, 1084 75, 146, 92, 245, 202, 188, 144, 36, 156, 127, 140, 220, 144, 56, 95, 38, 112, 44, 221, 1085 159, 9, 159, 189, 153, 150, 88, 84, 73, 138, 6, 73, 141, 17, 28, 110, 159, 141, 21, 1086 232, 13, 90, 130, 251, 177, 168, 242, 201, 222, 138, 182, 233, 142, 229, 24, 47, 186, 1087 56, 245, 177, 250, 253, 2, 11, 115, 29, 6, 156, 168, 117, 22, 15, 152, 183, 137, 25, 1088 188, 24, 22, 120, 195, 17, 97, 16, 85, 234, 95, 53, 156, 244, 146, 53, 183, 235, 71, 1089 24, 163, 139, 70, 227, 235, 154, 229, 210, 144, 81, 231, 161, 120, 117, 182, 245, 175, 1090 25, 252, 21, 153, 130, 211, 180, 209, 164, 34, 248, 167, 8, 98, 181, 69, 52, 74, 120, 1091 227, 165, 16, 172, 42, 107, 248, 42, 225, 46, 80, 11, 117, 92, 225, 27, 86, 4, 226, 29, 1092 85, 105, 208, 193, 120, 112, 39, 226, 20, 141, 2, 29, 0, 186, 229, 13, 141, 5, 89, 173, 1093 164, 148, 130, 205, 229, 23, 44, 125, 234, 49, 240, 196, 213, 6, 31, 233, 8, 99, 80, 1094 166, 239, 2, 130, 1, 0, 106, 152, 3, 177, 77, 235, 201, 25, 36, 150, 146, 246, 50, 67, 1095 97, 96, 245, 207, 14, 200, 60, 16, 229, 114, 211, 111, 193, 226, 252, 153, 176, 159, 1096 198, 41, 133, 157, 197, 38, 112, 217, 9, 205, 13, 85, 170, 94, 89, 60, 214, 117, 182, 1097 163, 81, 138, 122, 250, 48, 98, 43, 60, 186, 203, 147, 60, 74, 110, 89, 216, 73, 4, 1098 191, 1, 158, 174, 98, 201, 184, 25, 162, 239, 244, 139, 154, 173, 108, 135, 124, 166, 1099 152, 88, 237, 68, 145, 252, 33, 40, 237, 57, 53, 155, 215, 56, 12, 202, 22, 225, 7, 89, 1100 24, 245, 195, 164, 36, 172, 98, 26, 115, 10, 71, 27, 21, 255, 62, 212, 202, 71, 147, 1101 229, 6, 181, 19, 107, 136, 223, 239, 164, 243, 254, 101, 208, 122, 226, 150, 17, 251, 1102 218, 85, 169, 81, 177, 7, 190, 171, 230, 26, 149, 183, 181, 113, 140, 252, 212, 172, 1103 154, 200, 118, 69, 156, 108, 144, 11, 201, 135, 175, 19, 201, 116, 9, 80, 20, 19, 89, 1104 151, 198, 204, 253, 10, 155, 101, 159, 81, 190, 174, 58, 220, 250, 220, 212, 42, 111, 1105 33, 204, 114, 7, 30, 153, 73, 248, 209, 114, 36, 225, 6, 47, 106, 45, 226, 254, 175, 1106 201, 138, 254, 121, 184, 19, 143, 48, 67, 179, 99, 250, 189, 237, 58, 249, 194, 167, 1107 149, 162, 219, 27, 53, 67, 135, 193, 204, 253, 176, 245, 2, 211, 58, 176, 69, 14, 186, 1108 3, 130, 1, 5, 0, 2, 130, 1, 0, 97, 40, 15, 97, 210, 23, 118, 85, 75, 191, 251, 126, 1109 171, 47, 188, 57, 40, 41, 85, 48, 206, 169, 253, 233, 146, 161, 39, 232, 242, 19, 219, 1110 191, 172, 82, 78, 132, 153, 238, 120, 228, 99, 199, 197, 181, 74, 191, 123, 189, 80, 1111 203, 219, 50, 184, 193, 49, 160, 9, 41, 167, 133, 33, 151, 52, 196, 61, 29, 102, 233, 1112 163, 249, 121, 248, 55, 144, 215, 55, 89, 142, 137, 249, 67, 112, 167, 42, 255, 67, 56, 1113 179, 106, 187, 79, 87, 54, 118, 186, 154, 48, 150, 204, 222, 102, 135, 254, 202, 9, 1114 166, 229, 176, 130, 37, 174, 139, 240, 43, 134, 75, 141, 35, 163, 203, 71, 153, 217, 1115 71, 181, 79, 35, 114, 55, 124, 20, 55, 110, 112, 223, 109, 239, 183, 210, 141, 59, 88, 1116 47, 40, 167, 154, 90, 99, 250, 146, 29, 226, 10, 70, 103, 246, 209, 36, 174, 177, 164, 1117 244, 126, 153, 106, 156, 92, 143, 140, 46, 49, 184, 125, 160, 246, 145, 178, 94, 11, 1118 153, 128, 59, 210, 11, 210, 42, 3, 138, 136, 147, 115, 96, 190, 68, 128, 25, 47, 26, 1119 231, 183, 247, 89, 28, 67, 220, 235, 88, 4, 228, 140, 148, 10, 98, 104, 101, 60, 115, 1120 39, 219, 183, 111, 62, 93, 133, 141, 219, 252, 51, 66, 224, 115, 158, 85, 46, 13, 171, 1121 31, 5, 210, 83, 68, 61, 92, 87, 241, 1, 215, 144, 233, 243, 68, 238, 197, 62, 54, 68, 1122 163, 117, 48, 115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 153, 40, 244, 111, 22, 53, 1123 83, 33, 46, 24, 242, 81, 89, 121, 91, 97, 190, 144, 138, 150, 48, 12, 6, 3, 85, 29, 19, 1124 1, 1, 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85, 1125 29, 37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29, 1126 35, 4, 24, 48, 22, 128, 20, 230, 93, 24, 66, 42, 224, 216, 63, 210, 30, 74, 173, 48, 1127 16, 195, 8, 166, 231, 232, 253, 48, 11, 6, 9, 96, 134, 72, 1, 101, 3, 4, 3, 1, 3, 65, 1128 0, 48, 62, 2, 29, 0, 178, 65, 35, 200, 113, 88, 88, 146, 71, 230, 14, 148, 101, 161, 1129 118, 55, 125, 175, 226, 137, 63, 147, 215, 75, 207, 115, 150, 22, 2, 29, 0, 233, 44, 1130 225, 196, 27, 225, 84, 166, 253, 231, 247, 162, 41, 134, 178, 45, 218, 17, 24, 35, 120, 1131 100, 231, 84, 218, 88, 80, 255, 1132 ] 1133 .as_slice(); 1134 assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash { 1135 Hash::Sha224(ref hash) => *hash == Sha224::digest(CERT), 1136 _ => false, 1137 }),); 1138 } 1139 #[test] 1140 fn test_parse_dsa_sha1() { 1141 /// Certificate that uses DSA with SHA-1. 1142 const CERT: &[u8] = [ 1143 48, 130, 4, 157, 48, 130, 4, 77, 160, 3, 2, 1, 2, 2, 1, 35, 48, 9, 6, 7, 42, 134, 72, 1144 206, 56, 4, 3, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 16, 48, 14, 6, 1145 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 1146 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 49, 49, 57, 48, 55, 1147 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 49, 49, 57, 48, 55, 90, 48, 43, 49, 11, 48, 9, 1148 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 84, 101, 115, 1149 116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 130, 3, 66, 48, 130, 1150 2, 53, 6, 7, 42, 134, 72, 206, 56, 4, 1, 48, 130, 2, 40, 2, 130, 1, 1, 0, 172, 11, 194, 1151 123, 239, 38, 183, 160, 91, 74, 179, 251, 72, 80, 38, 223, 195, 46, 238, 2, 67, 45, 1152 138, 58, 62, 57, 85, 203, 148, 194, 164, 178, 195, 150, 29, 93, 245, 157, 225, 189, 1153 125, 209, 186, 83, 234, 14, 179, 116, 156, 216, 112, 205, 152, 26, 168, 175, 111, 106, 1154 249, 235, 49, 40, 246, 31, 152, 214, 59, 117, 64, 109, 28, 167, 222, 155, 132, 192, 1155 180, 240, 8, 80, 209, 209, 119, 53, 165, 51, 189, 18, 158, 176, 171, 45, 160, 54, 8, 1156 75, 146, 92, 245, 202, 188, 144, 36, 156, 127, 140, 220, 144, 56, 95, 38, 112, 44, 221, 1157 159, 9, 159, 189, 153, 150, 88, 84, 73, 138, 6, 73, 141, 17, 28, 110, 159, 141, 21, 1158 232, 13, 90, 130, 251, 177, 168, 242, 201, 222, 138, 182, 233, 142, 229, 24, 47, 186, 1159 56, 245, 177, 250, 253, 2, 11, 115, 29, 6, 156, 168, 117, 22, 15, 152, 183, 137, 25, 1160 188, 24, 22, 120, 195, 17, 97, 16, 85, 234, 95, 53, 156, 244, 146, 53, 183, 235, 71, 1161 24, 163, 139, 70, 227, 235, 154, 229, 210, 144, 81, 231, 161, 120, 117, 182, 245, 175, 1162 25, 252, 21, 153, 130, 211, 180, 209, 164, 34, 248, 167, 8, 98, 181, 69, 52, 74, 120, 1163 227, 165, 16, 172, 42, 107, 248, 42, 225, 46, 80, 11, 117, 92, 225, 27, 86, 4, 226, 29, 1164 85, 105, 208, 193, 120, 112, 39, 226, 20, 141, 2, 29, 0, 186, 229, 13, 141, 5, 89, 173, 1165 164, 148, 130, 205, 229, 23, 44, 125, 234, 49, 240, 196, 213, 6, 31, 233, 8, 99, 80, 1166 166, 239, 2, 130, 1, 0, 106, 152, 3, 177, 77, 235, 201, 25, 36, 150, 146, 246, 50, 67, 1167 97, 96, 245, 207, 14, 200, 60, 16, 229, 114, 211, 111, 193, 226, 252, 153, 176, 159, 1168 198, 41, 133, 157, 197, 38, 112, 217, 9, 205, 13, 85, 170, 94, 89, 60, 214, 117, 182, 1169 163, 81, 138, 122, 250, 48, 98, 43, 60, 186, 203, 147, 60, 74, 110, 89, 216, 73, 4, 1170 191, 1, 158, 174, 98, 201, 184, 25, 162, 239, 244, 139, 154, 173, 108, 135, 124, 166, 1171 152, 88, 237, 68, 145, 252, 33, 40, 237, 57, 53, 155, 215, 56, 12, 202, 22, 225, 7, 89, 1172 24, 245, 195, 164, 36, 172, 98, 26, 115, 10, 71, 27, 21, 255, 62, 212, 202, 71, 147, 1173 229, 6, 181, 19, 107, 136, 223, 239, 164, 243, 254, 101, 208, 122, 226, 150, 17, 251, 1174 218, 85, 169, 81, 177, 7, 190, 171, 230, 26, 149, 183, 181, 113, 140, 252, 212, 172, 1175 154, 200, 118, 69, 156, 108, 144, 11, 201, 135, 175, 19, 201, 116, 9, 80, 20, 19, 89, 1176 151, 198, 204, 253, 10, 155, 101, 159, 81, 190, 174, 58, 220, 250, 220, 212, 42, 111, 1177 33, 204, 114, 7, 30, 153, 73, 248, 209, 114, 36, 225, 6, 47, 106, 45, 226, 254, 175, 1178 201, 138, 254, 121, 184, 19, 143, 48, 67, 179, 99, 250, 189, 237, 58, 249, 194, 167, 1179 149, 162, 219, 27, 53, 67, 135, 193, 204, 253, 176, 245, 2, 211, 58, 176, 69, 14, 186, 1180 3, 130, 1, 5, 0, 2, 130, 1, 0, 97, 40, 15, 97, 210, 23, 118, 85, 75, 191, 251, 126, 1181 171, 47, 188, 57, 40, 41, 85, 48, 206, 169, 253, 233, 146, 161, 39, 232, 242, 19, 219, 1182 191, 172, 82, 78, 132, 153, 238, 120, 228, 99, 199, 197, 181, 74, 191, 123, 189, 80, 1183 203, 219, 50, 184, 193, 49, 160, 9, 41, 167, 133, 33, 151, 52, 196, 61, 29, 102, 233, 1184 163, 249, 121, 248, 55, 144, 215, 55, 89, 142, 137, 249, 67, 112, 167, 42, 255, 67, 56, 1185 179, 106, 187, 79, 87, 54, 118, 186, 154, 48, 150, 204, 222, 102, 135, 254, 202, 9, 1186 166, 229, 176, 130, 37, 174, 139, 240, 43, 134, 75, 141, 35, 163, 203, 71, 153, 217, 1187 71, 181, 79, 35, 114, 55, 124, 20, 55, 110, 112, 223, 109, 239, 183, 210, 141, 59, 88, 1188 47, 40, 167, 154, 90, 99, 250, 146, 29, 226, 10, 70, 103, 246, 209, 36, 174, 177, 164, 1189 244, 126, 153, 106, 156, 92, 143, 140, 46, 49, 184, 125, 160, 246, 145, 178, 94, 11, 1190 153, 128, 59, 210, 11, 210, 42, 3, 138, 136, 147, 115, 96, 190, 68, 128, 25, 47, 26, 1191 231, 183, 247, 89, 28, 67, 220, 235, 88, 4, 228, 140, 148, 10, 98, 104, 101, 60, 115, 1192 39, 219, 183, 111, 62, 93, 133, 141, 219, 252, 51, 66, 224, 115, 158, 85, 46, 13, 171, 1193 31, 5, 210, 83, 68, 61, 92, 87, 241, 1, 215, 144, 233, 243, 68, 238, 197, 62, 54, 68, 1194 163, 117, 48, 115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 153, 40, 244, 111, 22, 53, 1195 83, 33, 46, 24, 242, 81, 89, 121, 91, 97, 190, 144, 138, 150, 48, 12, 6, 3, 85, 29, 19, 1196 1, 1, 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85, 1197 29, 37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29, 1198 35, 4, 24, 48, 22, 128, 20, 230, 93, 24, 66, 42, 224, 216, 63, 210, 30, 74, 173, 48, 1199 16, 195, 8, 166, 231, 232, 253, 48, 9, 6, 7, 42, 134, 72, 206, 56, 4, 3, 3, 63, 0, 48, 1200 60, 2, 28, 50, 39, 36, 45, 25, 91, 93, 174, 107, 192, 215, 113, 214, 88, 122, 108, 97, 1201 82, 121, 182, 191, 182, 66, 173, 207, 255, 17, 86, 2, 28, 28, 133, 69, 48, 198, 204, 1202 39, 177, 136, 73, 222, 95, 114, 218, 219, 54, 88, 17, 114, 204, 214, 83, 20, 137, 75, 1203 203, 163, 99, 1204 ] 1205 .as_slice(); 1206 assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash { 1207 Hash::Sha256(ref hash) => *hash == Sha256::digest(CERT), 1208 _ => false, 1209 }),); 1210 } 1211 #[cfg(feature = "runtime")] 1212 #[derive(Debug)] 1213 enum E { 1214 #[expect(dead_code, reason = "does not matter for tests")] 1215 Io(Error), 1216 #[expect(dead_code, reason = "does not matter for tests")] 1217 Rustls(rustls::Error), 1218 #[expect(dead_code, reason = "does not matter for tests")] 1219 Postgres(tokio_postgres::Error), 1220 NoRootCert, 1221 MultipleRootCerts, 1222 NoClientKey, 1223 MultipleClientKeys, 1224 #[expect(dead_code, reason = "does not matter for tests")] 1225 RustlsPem(PemErr), 1226 } 1227 #[cfg(feature = "runtime")] 1228 impl From<Error> for E { 1229 fn from(value: Error) -> Self { 1230 Self::Io(value) 1231 } 1232 } 1233 #[cfg(feature = "runtime")] 1234 impl From<rustls::Error> for E { 1235 fn from(value: rustls::Error) -> Self { 1236 Self::Rustls(value) 1237 } 1238 } 1239 #[cfg(feature = "runtime")] 1240 impl From<tokio_postgres::Error> for E { 1241 fn from(value: tokio_postgres::Error) -> Self { 1242 Self::Postgres(value) 1243 } 1244 } 1245 #[cfg(feature = "runtime")] 1246 impl From<PemErr> for E { 1247 fn from(value: PemErr) -> Self { 1248 Self::RustlsPem(value) 1249 } 1250 } 1251 #[cfg(feature = "runtime")] 1252 #[ignore] 1253 #[test] 1254 fn test_mutual_tls() -> Result<(), E> { 1255 let root_cert_file = fs::read("test_data/ca.crt.pem")?; 1256 let mut cert_iter = CertificateDer::pem_slice_iter(root_cert_file.as_slice()); 1257 let key_file = fs::read("test_data/client.key.pem")?; 1258 let mut key_iter = PrivateKeyDer::pem_slice_iter(key_file.as_slice()); 1259 let mut conf = ClientConfig::builder_with_protocol_versions([&TLS13].as_slice()) 1260 .with_root_certificates(cert_iter.next().ok_or_else(|| E::NoRootCert).and_then( 1261 |cert_res| { 1262 cert_res.map_err(E::RustlsPem).and_then(|cert| { 1263 cert_iter.next().map_or_else( 1264 || { 1265 let mut root_store = RootCertStore::empty(); 1266 root_store.add(cert).map_err(E::Rustls).map(|()| root_store) 1267 }, 1268 |_| Err(E::MultipleRootCerts), 1269 ) 1270 }) 1271 }, 1272 )?) 1273 .with_client_auth_cert( 1274 CertificateDer::pem_slice_iter(fs::read("test_data/client.crt.pem")?.as_slice()) 1275 .try_fold(Vec::with_capacity(1), |mut certs, res| { 1276 res.map(|cert| { 1277 certs.push(cert); 1278 certs 1279 }) 1280 })?, 1281 key_iter 1282 .next() 1283 .ok_or_else(|| E::NoClientKey) 1284 .and_then(|key_res| { 1285 key_res.map_err(E::RustlsPem).and_then(|key| { 1286 key_iter 1287 .next() 1288 .map_or_else(|| Ok(key), |_| Err(E::MultipleClientKeys)) 1289 }) 1290 })?, 1291 )?; 1292 super::set_postgresql_alpn(&mut conf); 1293 let mut config = Config::new(); 1294 let connection = config 1295 .application_name("test") 1296 .channel_binding(ChannelBinding::Disable) 1297 .connect_timeout(Duration::from_secs(4)) 1298 .dbname(fs::read_to_string("test_data/dbname")?.trim_ascii_end()) 1299 .host(fs::read_to_string("test_data/host")?.trim_ascii_end()) 1300 .hostaddr(IpAddr::V6(Ipv6Addr::LOCALHOST)) 1301 .keepalives(false) 1302 .load_balance_hosts(LoadBalanceHosts::Disable) 1303 .port(5432) 1304 .ssl_mode(SslMode::Require) 1305 .target_session_attrs(TargetSessionAttrs::Any) 1306 .user(fs::read_to_string("test_data/user")?.trim_ascii_end()) 1307 .connect(MakeTlsConnector::new(Arc::new(conf).into())); 1308 Builder::new_current_thread() 1309 .enable_all() 1310 .build()? 1311 .block_on(async move { connection.await.map_err(E::Postgres).map(|_| ()) }) 1312 } 1313 #[cfg(feature = "runtime")] 1314 #[ignore] 1315 #[test] 1316 fn test_password_and_channel_binding() -> Result<(), E> { 1317 let root_cert_file = fs::read("test_data/ca.crt.pem")?; 1318 let mut cert_iter = CertificateDer::pem_slice_iter(root_cert_file.as_slice()); 1319 let mut conf = ClientConfig::builder_with_protocol_versions([&TLS13].as_slice()) 1320 .with_root_certificates(cert_iter.next().ok_or_else(|| E::NoRootCert).and_then( 1321 |cert_res| { 1322 cert_res.map_err(E::RustlsPem).and_then(|cert| { 1323 cert_iter.next().map_or_else( 1324 || { 1325 let mut root_store = RootCertStore::empty(); 1326 root_store.add(cert).map_err(E::Rustls).map(|()| root_store) 1327 }, 1328 |_| Err(E::MultipleRootCerts), 1329 ) 1330 }) 1331 }, 1332 )?) 1333 .with_no_client_auth(); 1334 super::set_postgresql_alpn(&mut conf); 1335 let mut config = Config::new(); 1336 let connection = config 1337 .application_name("test") 1338 .channel_binding(ChannelBinding::Require) 1339 .connect_timeout(Duration::from_secs(4)) 1340 .dbname(fs::read_to_string("test_data/dbname")?.trim_ascii_end()) 1341 .host(fs::read_to_string("test_data/host")?.trim_ascii_end()) 1342 .hostaddr(IpAddr::V6(Ipv6Addr::LOCALHOST)) 1343 .keepalives(false) 1344 .load_balance_hosts(LoadBalanceHosts::Disable) 1345 .password(fs::read("test_data/password")?.trim_ascii_end()) 1346 .port(5432) 1347 .ssl_mode(SslMode::Require) 1348 .target_session_attrs(TargetSessionAttrs::Any) 1349 .user(fs::read_to_string("test_data/user")?.trim_ascii_end()) 1350 .connect(MakeTlsConnector::new(Arc::new(conf).into())); 1351 Builder::new_current_thread() 1352 .enable_all() 1353 .build()? 1354 .block_on(async move { connection.await.map_err(E::Postgres).map(|_| ()) }) 1355 } 1356 }