lib.rs (88440B)
1 //! [![git]](https://git.philomathiclife.com/postgres_rustls/log.html) [![crates-io]](https://crates.io/crates/postgres_rustls) [![docs-rs]](crate) 2 //! 3 //! [git]: https://git.philomathiclife.com/git_badge.svg 4 //! [crates-io]: https://img.shields.io/badge/crates.io-fc8d62?style=for-the-badge&labelColor=555555&logo=rust 5 //! [docs-rs]: https://img.shields.io/badge/docs.rs-66c2a5?style=for-the-badge&labelColor=555555&logo=docs.rs 6 //! 7 //! `postgres_rustls` is a library that adds TLS support to [`tokio_postgres`] using [`tokio_rustls`]. 8 #![cfg_attr(docsrs, feature(doc_cfg))] 9 #![expect( 10 clippy::multiple_crate_versions, 11 reason = "dependencies haven't updated to newest crates" 12 )] 13 use core::{ 14 pin::Pin, 15 task::{Context, Poll}, 16 }; 17 use sha2::{ 18 Sha224, Sha256, Sha384, Sha512, 19 digest::{Digest as _, OutputSizeUser, generic_array::GenericArray}, 20 }; 21 use std::io::{self, IoSlice}; 22 use tokio::io::{AsyncRead, AsyncWrite, ReadBuf}; 23 #[cfg(feature = "runtime")] 24 use tokio_postgres::tls::MakeTlsConnect; 25 use tokio_postgres::tls::{ChannelBinding, TlsConnect as PgTlsConnect, TlsStream as PgTlsStream}; 26 use tokio_rustls::{ 27 Connect, 28 client::TlsStream as RustlsStream, 29 rustls::{ 30 ClientConfig, 31 pki_types::{InvalidDnsNameError, ServerName}, 32 }, 33 }; 34 /// Hash for the leaf certificate provided by the PostgreSQL server. 35 #[expect(clippy::doc_markdown, reason = "PostgreSQL is correct")] 36 enum Hash { 37 /// SHA-256 hash. 38 Sha256(GenericArray<u8, <Sha256 as OutputSizeUser>::OutputSize>), 39 /// SHA-384 hash. 40 Sha384(GenericArray<u8, <Sha384 as OutputSizeUser>::OutputSize>), 41 /// SHA-512 hash. 42 Sha512(GenericArray<u8, <Sha512 as OutputSizeUser>::OutputSize>), 43 /// SHA-224 hash. 44 Sha224(GenericArray<u8, <Sha224 as OutputSizeUser>::OutputSize>), 45 } 46 impl From<Hash> for Vec<u8> { 47 #[inline] 48 fn from(value: Hash) -> Self { 49 match value { 50 Hash::Sha256(hash) => hash.to_vec(), 51 Hash::Sha384(hash) => hash.to_vec(), 52 Hash::Sha512(hash) => hash.to_vec(), 53 Hash::Sha224(hash) => hash.to_vec(), 54 } 55 } 56 } 57 impl Hash { 58 /// Parses `cert` as a DER-encoded X.509 v3 certifcate extracting the signature algorithm and using it to hash 59 /// `cert` (based on the underlying hash algorithm of the signature algorithm). 60 /// 61 /// Note this will return `Some` for certain invalid payloads; however when the payload is a valid 62 /// DER-encoded X.509 v3 certificate, then it is guaranteed to produce the correct hash. The idea is that 63 /// in the event the leaf certificate is invalid, then it will be rejected by `rustls` anyway thus what 64 /// this returns won't matter. We do this for simplicity and performance reasons since it allows us to 65 /// avoid parsing the entire certificate and instead _only_ care about the signature algorithm. 66 /// 67 /// The only signature algorithms supported are the following: 68 /// 69 /// * id-Ed25519 70 /// * ecdsa-with-SHA256 71 /// * sha256WithRSAEncryption 72 /// * ecdsa-with-SHA384 73 /// * sha384WithRSAEncryption 74 /// * ecdsa-with-SHA512 75 /// * sha512WithRSAEncryption 76 /// * ecdsa-with-SHA224 77 /// * sha224WithRSAEncryption 78 /// * dsa-with-SHA256 79 /// * dsa-with-SHA224 80 /// * dsa-with-SHA1 81 /// * sha1WithRSAEncryption 82 /// 83 /// More may be added; but for ones that require additional dependencies, they will be hidden behind a feature. 84 /// Additionally new ones must be supported by PostgreSQL, `tokio-postgres`, and `rustls`. 85 // 86 // [RFC 5280 § 4.1](https://www.rfc-editor.org/rfc/rfc5280#section-4.1) describes the ASN.1 format 87 // of an X.509 v3 Certificate: 88 // 89 // ```asn 90 // Certificate ::= SEQUENCE { 91 // tbsCertificate TBSCertificate, 92 // signatureAlgorithm AlgorithmIdentifier, 93 // signatureValue BIT STRING } 94 // 95 // TBSCertificate ::= SEQUENCE { … } 96 // 97 // AlgorithmIdentifier ::= SEQUENCE { 98 // algorithm OBJECT IDENTIFIER, 99 // parameters ANY DEFINED BY algorithm OPTIONAL } 100 // ``` 101 // 102 // [ITU-T X.690](https://www.itu.int/rec/T-REC-X.690-202102-I/en) 103 // describes how DER-encoding works. 104 #[expect( 105 clippy::arithmetic_side_effects, 106 clippy::big_endian_bytes, 107 clippy::indexing_slicing, 108 reason = "comments justify their correctness" 109 )] 110 #[expect(clippy::too_many_lines, reason = "inflated by the const slices")] 111 #[expect(clippy::doc_markdown, reason = "PostgreSQL is correct")] 112 fn from_der_cert(cert: &[u8]) -> Option<Self> { 113 /// [RFC 8410 § 9](https://www.rfc-editor.org/rfc/rfc8410#section-9) 114 /// defines id-Ed25519 as 1.3.101.112. This is encoded as below per X.690 § 8.19. 115 const ED25519: &[u8] = [43, 101, 112].as_slice(); 116 /// [RFC 5912 § 6](https://www.rfc-editor.org/rfc/rfc5912.html#section-6) 117 /// defines ecdsa-with-SHA256 as 1.2.840.10045.4.3.2. This is encoded as 118 /// below per X.690 § 8.19. 119 const ECDSA_SHA256: &[u8] = [42, 134, 72, 206, 61, 4, 3, 2].as_slice(); 120 /// [RFC 8017 § Appendix C](https://www.rfc-editor.org/rfc/rfc8017#appendix-C) 121 /// defines sha256WithRSAEncryption as 1.2.840.113549.1.1.11. This is encoded as 122 /// below per X.690 § 8.19. 123 const RSA_SHA256: &[u8] = [42, 134, 72, 134, 247, 13, 1, 1, 11].as_slice(); 124 /// [RFC 5912 § 6](https://www.rfc-editor.org/rfc/rfc5912.html#section-6) 125 /// defines dsa-with-SHA256 as 2.16.840.1.101.3.4.3.2. This is encoded as 126 /// below per X.690 § 8.19. 127 const DSA_SHA256: &[u8] = [96, 134, 72, 1, 101, 3, 4, 3, 2].as_slice(); 128 /// [RFC 5912 § 6](https://www.rfc-editor.org/rfc/rfc5912.html#section-6) 129 /// defines dsa-with-SHA1 as 1.2.840.10040.4.3. This is encoded as 130 /// below per X.690 § 8.19. 131 const DSA_SHA1: &[u8] = [42, 134, 72, 206, 56, 4, 3].as_slice(); 132 /// [RFC 8017 § Appendix C](https://www.rfc-editor.org/rfc/rfc8017#appendix-C) 133 /// defines sha1WithRSAEncryption as 1.2.840.113549.1.1.5. This is encoded as 134 /// below per X.690 § 8.19. 135 const RSA_SHA1: &[u8] = [42, 134, 72, 134, 247, 13, 1, 1, 5].as_slice(); 136 /// [RFC 5912 § 6](https://www.rfc-editor.org/rfc/rfc5912.html#section-6) 137 /// defines ecdsa-with-SHA384 as 1.2.840.10045.4.3.3. This is encoded as 138 /// below per X.690 § 8.19. 139 const ECDSA_SHA384: &[u8] = [42, 134, 72, 206, 61, 4, 3, 3].as_slice(); 140 /// [RFC 8017 § Appendix C](https://www.rfc-editor.org/rfc/rfc8017#appendix-C) 141 /// defines sha384WithRSAEncryption as 1.2.840.113549.1.1.12. This is encoded as 142 /// below per X.690 § 8.19. 143 const RSA_SHA384: &[u8] = [42, 134, 72, 134, 247, 13, 1, 1, 12].as_slice(); 144 /// [RFC 5912 § 6](https://www.rfc-editor.org/rfc/rfc5912.html#section-6) 145 /// defines ecdsa-with-SHA512 as 1.2.840.10045.4.3.4. This is encoded as 146 /// below per X.690 § 8.19. 147 const ECDSA_SHA512: &[u8] = [42, 134, 72, 206, 61, 4, 3, 4].as_slice(); 148 /// [RFC 8017 § Appendix C](https://www.rfc-editor.org/rfc/rfc8017#appendix-C) 149 /// defines sha512WithRSAEncryption as 1.2.840.113549.1.1.13. This is encoded as 150 /// below per X.690 § 8.19. 151 const RSA_SHA512: &[u8] = [42, 134, 72, 134, 247, 13, 1, 1, 13].as_slice(); 152 /// [RFC 5912 § 6](https://www.rfc-editor.org/rfc/rfc5912.html#section-6) 153 /// defines ecdsa-with-SHA224 as 1.2.840.10045.4.3.1. This is encoded as 154 /// below per X.690 § 8.19. 155 const ECDSA_SHA224: &[u8] = [42, 134, 72, 206, 61, 4, 3, 1].as_slice(); 156 /// [RFC 8017 § Appendix C](https://www.rfc-editor.org/rfc/rfc8017#appendix-C) 157 /// defines sha224WithRSAEncryption as 1.2.840.113549.1.1.14. This is encoded as 158 /// below per X.690 § 8.19. 159 const RSA_SHA224: &[u8] = [42, 134, 72, 134, 247, 13, 1, 1, 14].as_slice(); 160 /// [RFC 5912 § 6](https://www.rfc-editor.org/rfc/rfc5912.html#section-6) 161 /// defines dsa-with-SHA224 as 2.16.840.1.101.3.4.3.1. This is encoded as 162 /// below per X.690 § 8.19. 163 const DSA_SHA224: &[u8] = [96, 134, 72, 1, 101, 3, 4, 3, 1].as_slice(); 164 // The first octet represents a constructed sequence (i.e., 0x30) and the second octet represents 165 // the (possibly encoded) length of the remaining payload. 166 cert.split_at_checked(2).and_then(|(cert_seq, cert_rem)| { 167 // This won't `panic` since `cert_seq.len() == 2`. 168 // This represents the (possibly encoded) length. 169 // 170 // We don't care about the actual length of the payload. We only care about the number of bytes 171 // we need to skip until the (possibly encoded) length of the constructed sequence of 172 // tbsCertificate. 173 match cert_seq[1] { 174 // The length of the payload is represented with this byte; thus we only need to skip 175 // the constructed sequence byte (i.e., 0x30) of tbsCertificate. 176 ..=127 => Some(1), 177 // The length of the payload is invalid since DER-encoded lengths must use the minimum 178 // number of bytes possible. The high bit is set iff one or more octets are needed to encode 179 // the actual length. The number of octets is represented by the remaining bits; thus this 180 // means there are 0 bytes to encode the length, but then it should have been encoded as 181 // `0` and not `128`. 182 // 183 // 255 is not allowed to be used per § 8.1.3.5. 184 128 | 255 => None, 185 // The remaining bits represent the number of bytes that it takes to encode the length; 186 // thus we subtract 128 and add 1 to account for the constructed sequence byte (i.e., 0x30) 187 // of tbsCertificate. This is the same as just subtracting 127. 188 // 189 // Underflow clearly cannot occur since `len` is at least 129. 190 len @ 129.. => Some(usize::from(len) - 127), 191 } 192 .and_then(|skip| { 193 cert_rem.get(skip..).and_then(|tbs_rem_with_len| { 194 // Remaining payload starting from the (possibly encoded) length of tbsCertificate. 195 tbs_rem_with_len 196 // Extract the (possibly encoded) length of tbsCertificate. 197 .split_first() 198 .and_then(|(tbs_enc_len, tbs_rem)| { 199 // We need to extract how many bytes make up tbsCertificate that way 200 // we can skip it and get to the (possibly encoded) length of 201 // signatureAlgorithm. 202 match *tbs_enc_len { 203 // tbsCertificate is encoded in `len` bytes. We need to skip that many 204 // bytes taking into account the constructed sequence byte (i.e., 0x30) 205 // of signatureAlgorithm. 206 // 207 // This won't overflow since `len` is at most 127; thus this maxes at 128 208 // which is <= `usize::MAX`. 209 len @ ..=127 => Some(usize::from(len) + 1), 210 // The number of bytes tbsCertificate is encoded in takes 1 byte to encode 211 // We get that one byte since that is how many bytes we need to skip taking 212 // into account the byte and the constructed sequence byte (i.e., 0x30) of 213 // signatureAlgorithm. 214 // 215 // This won't overflow since this maxes at 255 + 2 = 257 <= usize::MAX. 216 129 => tbs_rem.first().map(|len| usize::from(*len) + 2), 217 // The number of bytes tbsCertificate is encoded in takes 2 bytes to encode. 218 // We get the two bytes since that is how many bytes we need to skip. 219 130 => tbs_rem.get(..2).and_then(|enc_len| { 220 let mut big_endian_len = [0; 2]; 221 // This won't `panic` since `enc_len.len() == 2`. 222 big_endian_len.copy_from_slice(enc_len); 223 // Multi-byte lengths are encoded in big-endian. 224 u16::from_be_bytes(big_endian_len) 225 // We need to account for the two bytes and the constructed sequence byte 226 // (i.e., 0x30) of signatureAlgorithm. 227 .checked_add(3) 228 // We don't support payloads larger than 65,535 since that is more than 229 // enough for a single certificate. 230 .map(usize::from) 231 }), 232 // We arbitrarily cap the size of payloads we accept to simplify decoding. 233 // If this is more than 130, then the payload is at least 16,777,216 bytes 234 // which is obscenely large for a single certificate. 128 is invalid. 235 _ => None, 236 } 237 .and_then(|tbs_len| { 238 tbs_rem.get(tbs_len..).and_then(|alg_rem_with_len| { 239 // Remaining payload starting from the (possibly encoded) length of 240 // signatureAlgorithm. 241 alg_rem_with_len 242 // Extract the (possibly encoded) length of signatureAlgorithm. 243 .split_first() 244 .and_then(|(alg_enc_len, alg_rem)| { 245 // We need to extract how many bytes make up signatureAlgorithm that way 246 // we can skip it and get to the (possibly encoded) length of algorithm. 247 match *alg_enc_len { 248 // The length of the payload is represented with this byte; thus we 249 // only need to skip the object identifier byte (i.e., 0x06) of 250 // algorithm. 251 ..=127 => Some(1), 252 // The length of the payload is invalid. 253 128 | 255 => None, 254 // The remaining bits represents the number of bytes that it takes to 255 // encode the length; thus we subtract 128 and add 1 to account for 256 // the object identifier byte (i.e., 0x06) of algorithm. 257 // This is the same as just subtracting 127. 258 // 259 // Underflow clearly cannot occur since `len` is at least 129. 260 len @ 129.. => Some(usize::from(len) - 127), 261 } 262 .and_then( 263 |alg_skip| { 264 alg_rem.get(alg_skip..).and_then(|oid_rem| { 265 // Remaining payload starting from the (possibly encoded) 266 // length of algorithm, and we extract the 267 // (possibly encoded) length of algorithm. 268 oid_rem.split_first().and_then( 269 |(oid_enc_len, rem)| { 270 // Extract the algorithm. 271 // Recall we don't care if the certificate is 272 // invalid, and we only support algorithms of 273 // length at most 127. As a result, we treat 274 // `oid_enc_len` as is. 275 rem.get(..usize::from(*oid_enc_len)) 276 .and_then(|oid| match oid { 277 ED25519 | ECDSA_SHA256 278 | RSA_SHA256 | DSA_SHA256 279 // [RFC 5929 § 4.1](https://www.rfc-editor.org/rfc/rfc5929#section-4.1) 280 // mandates that SHA-1 based signatures 281 // use SHA-256. 282 | DSA_SHA1 | RSA_SHA1 => { 283 Some(Self::Sha256( 284 Sha256::digest( 285 cert, 286 ), 287 )) 288 } 289 ECDSA_SHA384 290 | RSA_SHA384 => { 291 Some(Self::Sha384( 292 Sha384::digest( 293 cert, 294 ), 295 )) 296 } 297 ECDSA_SHA512 298 | RSA_SHA512 => { 299 Some(Self::Sha512( 300 Sha512::digest( 301 cert, 302 ), 303 )) 304 } 305 ECDSA_SHA224 306 | RSA_SHA224 307 | DSA_SHA224 => { 308 Some(Self::Sha224( 309 Sha224::digest( 310 cert, 311 ), 312 )) 313 } 314 _ => None, 315 }) 316 }, 317 ) 318 }) 319 }, 320 ) 321 }) 322 }) 323 }) 324 }) 325 }) 326 }) 327 }) 328 } 329 } 330 /// The [`TlsConnector::Stream`] returned from [`TlsConnectorFuture::poll`]. 331 #[derive(Debug)] 332 pub struct TlsStream<S>(RustlsStream<S>); 333 impl<S: AsyncRead + AsyncWrite + Unpin> AsyncRead for TlsStream<S> { 334 #[inline] 335 fn poll_read( 336 mut self: Pin<&mut Self>, 337 cx: &mut Context<'_>, 338 buf: &mut ReadBuf<'_>, 339 ) -> Poll<io::Result<()>> { 340 Pin::new(&mut self.0).poll_read(cx, buf) 341 } 342 } 343 impl<S: AsyncRead + AsyncWrite + Unpin> AsyncWrite for TlsStream<S> { 344 #[inline] 345 fn poll_write( 346 mut self: Pin<&mut Self>, 347 cx: &mut Context<'_>, 348 buf: &[u8], 349 ) -> Poll<Result<usize, io::Error>> { 350 Pin::new(&mut self.0).poll_write(cx, buf) 351 } 352 #[inline] 353 fn poll_flush(mut self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<Result<(), io::Error>> { 354 Pin::new(&mut self.0).poll_flush(cx) 355 } 356 #[inline] 357 fn poll_shutdown( 358 mut self: Pin<&mut Self>, 359 cx: &mut Context<'_>, 360 ) -> Poll<Result<(), io::Error>> { 361 Pin::new(&mut self.0).poll_shutdown(cx) 362 } 363 #[inline] 364 fn poll_write_vectored( 365 mut self: Pin<&mut Self>, 366 cx: &mut Context<'_>, 367 bufs: &[IoSlice<'_>], 368 ) -> Poll<Result<usize, io::Error>> { 369 Pin::new(&mut self.0).poll_write_vectored(cx, bufs) 370 } 371 #[inline] 372 fn is_write_vectored(&self) -> bool { 373 self.0.is_write_vectored() 374 } 375 } 376 impl<S: AsyncRead + AsyncWrite + Unpin> PgTlsStream for TlsStream<S> { 377 /// Returns the [`ChannelBinding`] based on the X.509 v3 certificate sent from the PostgreSQL server. 378 /// 379 /// Note when this returns [`ChannelBinding::tls_server_end_point`], it _does not_ mean the certificate 380 /// is valid. In certain circumstances, this will return that even for an invalid certificate. This should 381 /// not matter since the certificate being invalid will cause the certificate to be rejected anyway. When 382 /// the certificate is valid and uses a supported signature algorithm, then this will always return the 383 /// correct value. 384 /// 385 /// The only supported signature algorithms are the following: 386 /// 387 /// * id-Ed25519 388 /// * ecdsa-with-SHA256 389 /// * sha256WithRSAEncryption 390 /// * ecdsa-with-SHA384 391 /// * sha384WithRSAEncryption 392 /// * ecdsa-with-SHA512 393 /// * sha512WithRSAEncryption 394 /// * ecdsa-with-SHA224 395 /// * sha224WithRSAEncryption 396 /// * dsa-with-SHA256 397 /// * dsa-with-SHA224 398 /// * dsa-with-SHA1 399 /// * sha1WithRSAEncryption 400 /// 401 /// Note it is strongly recommended that TLS 1.3 be used; thus while signature algorithms that are not 402 /// part of TLS 1.3 are supported, you should avoid them. 403 /// See [RFC 9266 § 4.2](https://www.rfc-editor.org/rfc/rfc9266#section-4.2). 404 /// Additionally some of the supported signature algorithms may not be supported by PostgreSQL 405 /// (e.g., id-Ed25519). 406 #[expect(clippy::doc_markdown, reason = "PostgreSQL is correct")] 407 #[inline] 408 fn channel_binding(&self) -> ChannelBinding { 409 self.0 410 .get_ref() 411 .1 412 .peer_certificates() 413 .and_then(|certs| { 414 certs.first().and_then(|fst| { 415 Hash::from_der_cert(fst) 416 .map(|hash| ChannelBinding::tls_server_end_point(hash.into())) 417 }) 418 }) 419 .unwrap_or_else(ChannelBinding::none) 420 } 421 } 422 /// [`TlsConnector::Future`] returned from [`TlsConnector::connect`]. 423 #[expect( 424 missing_debug_implementations, 425 reason = "Connect does not implement Debug, so we don't" 426 )] 427 pub struct TlsConnectorFuture<S>(Connect<S>); 428 impl<S: AsyncRead + AsyncWrite + Unpin> Future for TlsConnectorFuture<S> { 429 type Output = io::Result<TlsStream<S>>; 430 #[inline] 431 fn poll(mut self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<Self::Output> { 432 Pin::new(&mut self.0).poll(cx).map_ok(TlsStream) 433 } 434 } 435 /// Connects to the PostgreSQL server. 436 #[expect( 437 missing_debug_implementations, 438 reason = "TlsConnector does not implement Debug, so we don't" 439 )] 440 #[expect(clippy::doc_markdown, reason = "PostgreSQL is correct")] 441 pub struct TlsConnector<'domain> { 442 /// Used to connect to the PostgreSQL server. 443 #[expect(clippy::doc_markdown, reason = "PostgreSQL is correct")] 444 connector: tokio_rustls::TlsConnector, 445 /// The domain or IP of the PostgreSQL server. 446 #[expect(clippy::doc_markdown, reason = "PostgreSQL is correct")] 447 dom: ServerName<'domain>, 448 } 449 impl<'domain> TlsConnector<'domain> { 450 /// Returns `Self` based on `connector` and `domain`. 451 /// 452 /// # Errors 453 /// 454 /// Errors iff [`ServerName::try_from`] does when passed `domain`. 455 #[expect(single_use_lifetimes, reason = "false positive")] 456 #[inline] 457 pub fn new<'dom: 'domain>( 458 connector: tokio_rustls::TlsConnector, 459 domain: &'dom str, 460 ) -> Result<Self, InvalidDnsNameError> { 461 ServerName::try_from(domain).map(|dom| Self { connector, dom }) 462 } 463 } 464 impl<S: AsyncRead + AsyncWrite + Unpin> PgTlsConnect<S> for TlsConnector<'static> { 465 type Stream = TlsStream<S>; 466 type Error = io::Error; 467 type Future = TlsConnectorFuture<S>; 468 #[inline] 469 fn connect(self, stream: S) -> Self::Future { 470 TlsConnectorFuture(self.connector.connect(self.dom, stream)) 471 } 472 } 473 /// [`MakeTlsConnect`] based on [`tokio_rustls::TlsConnector`]. 474 #[expect( 475 missing_debug_implementations, 476 reason = "TlsConnector does not implement Debug, so we don't" 477 )] 478 #[cfg_attr(docsrs, doc(cfg(feature = "runtime")))] 479 #[cfg(feature = "runtime")] 480 #[derive(Clone)] 481 pub struct MakeTlsConnector(tokio_rustls::TlsConnector); 482 #[cfg(feature = "runtime")] 483 impl MakeTlsConnector { 484 /// Constructs `Self` based on `connector`. 485 #[inline] 486 #[must_use] 487 pub const fn new(connector: tokio_rustls::TlsConnector) -> Self { 488 Self(connector) 489 } 490 } 491 #[cfg(feature = "runtime")] 492 impl<S: AsyncRead + AsyncWrite + Unpin> MakeTlsConnect<S> for MakeTlsConnector { 493 type Stream = TlsStream<S>; 494 type TlsConnect = TlsConnector<'static>; 495 type Error = InvalidDnsNameError; 496 #[inline] 497 fn make_tls_connect(&mut self, domain: &str) -> Result<Self::TlsConnect, Self::Error> { 498 ServerName::try_from(domain).map(|dom| TlsConnector { 499 connector: self.0.clone(), 500 dom: dom.to_owned(), 501 }) 502 } 503 } 504 /// Removes any ALPN values and adds the `b"postgresql"` ALPN. 505 #[inline] 506 pub fn set_postgresql_alpn(config: &mut ClientConfig) { 507 config.alpn_protocols.clear(); 508 config.alpn_protocols.push(vec![ 509 b'p', b'o', b's', b't', b'g', b'r', b'e', b's', b'q', b'l', 510 ]); 511 } 512 #[cfg(test)] 513 mod tests { 514 #[cfg(feature = "runtime")] 515 extern crate alloc; 516 use super::Hash; 517 #[cfg(feature = "runtime")] 518 use super::MakeTlsConnector; 519 #[cfg(feature = "runtime")] 520 use alloc::sync::Arc; 521 #[cfg(feature = "runtime")] 522 use core::{ 523 net::{IpAddr, Ipv6Addr}, 524 time::Duration, 525 }; 526 use sha2::{Digest as _, Sha224, Sha256, Sha384, Sha512}; 527 #[cfg(feature = "runtime")] 528 use std::{fs, io::Error}; 529 #[cfg(feature = "runtime")] 530 use tokio::runtime::Builder; 531 #[cfg(feature = "runtime")] 532 use tokio_postgres::{ 533 Config, 534 config::{ChannelBinding, LoadBalanceHosts, SslMode, TargetSessionAttrs}, 535 }; 536 #[cfg(feature = "runtime")] 537 use tokio_rustls::rustls::{ 538 self, ClientConfig, RootCertStore, 539 pki_types::{ 540 CertificateDer, PrivateKeyDer, 541 pem::{Error as PemErr, PemObject as _}, 542 }, 543 version::TLS13, 544 }; 545 #[test] 546 fn test_parse_ed25519() { 547 /// Certificate that uses Ed25519. 548 const CERT: &[u8] = [ 549 48, 130, 1, 125, 48, 130, 1, 47, 160, 3, 2, 1, 2, 2, 1, 29, 48, 5, 6, 3, 43, 101, 112, 550 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 16, 48, 14, 6, 3, 85, 4, 10, 551 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 82, 111, 552 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 48, 52, 56, 48, 53, 90, 23, 13, 553 50, 53, 48, 51, 49, 54, 48, 48, 52, 56, 48, 53, 90, 48, 43, 49, 11, 48, 9, 6, 3, 85, 4, 554 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 84, 101, 115, 116, 49, 13, 555 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 42, 48, 5, 6, 3, 43, 101, 112, 3, 556 33, 0, 142, 168, 95, 146, 122, 142, 177, 52, 239, 161, 27, 41, 80, 58, 167, 248, 211, 557 181, 154, 201, 26, 195, 207, 27, 132, 228, 110, 149, 95, 212, 44, 202, 163, 117, 48, 558 115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 238, 12, 127, 172, 94, 237, 69, 62, 240, 559 99, 1, 2, 35, 161, 201, 129, 19, 85, 0, 227, 48, 12, 6, 3, 85, 29, 19, 1, 1, 255, 4, 2, 560 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85, 29, 37, 1, 1, 561 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29, 35, 4, 24, 48, 562 22, 128, 20, 199, 177, 144, 22, 54, 182, 183, 202, 234, 246, 98, 108, 85, 32, 30, 132, 563 146, 221, 218, 80, 48, 5, 6, 3, 43, 101, 112, 3, 65, 0, 133, 253, 192, 202, 50, 167, 564 57, 5, 246, 17, 58, 232, 188, 41, 147, 232, 35, 206, 147, 181, 0, 139, 95, 3, 24, 139, 565 17, 102, 113, 186, 146, 163, 97, 157, 255, 50, 193, 230, 159, 170, 218, 35, 56, 99, 89, 566 251, 173, 97, 106, 15, 52, 71, 209, 69, 109, 216, 140, 235, 37, 23, 185, 173, 215, 0, 567 ] 568 .as_slice(); 569 assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash { 570 Hash::Sha256(ref hash) => *hash == Sha256::digest(CERT), 571 _ => false, 572 }),); 573 } 574 #[test] 575 fn test_parse_ecdsa_sha256() { 576 /// Certificate that uses ECDSA with SHA-256. 577 const CERT: &[u8] = [ 578 48, 130, 1, 189, 48, 130, 1, 99, 160, 3, 2, 1, 2, 2, 1, 27, 48, 10, 6, 8, 42, 134, 72, 579 206, 61, 4, 3, 2, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 16, 48, 14, 580 6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 3, 85, 4, 3, 581 12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 48, 52, 49, 51, 582 48, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 48, 52, 49, 51, 48, 90, 48, 43, 49, 11, 48, 583 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 84, 101, 115, 584 116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 89, 48, 19, 6, 7, 585 42, 134, 72, 206, 61, 2, 1, 6, 8, 42, 134, 72, 206, 61, 3, 1, 7, 3, 66, 0, 4, 195, 27, 586 22, 133, 220, 98, 146, 255, 201, 209, 114, 117, 93, 119, 207, 46, 228, 132, 210, 187, 587 134, 197, 201, 194, 147, 51, 111, 17, 187, 179, 129, 180, 129, 62, 164, 27, 199, 95, 588 59, 16, 167, 134, 233, 53, 127, 194, 187, 144, 193, 106, 100, 37, 104, 219, 164, 155, 589 58, 210, 106, 12, 192, 247, 72, 183, 163, 117, 48, 115, 48, 29, 6, 3, 85, 29, 14, 4, 590 22, 4, 20, 84, 214, 179, 28, 250, 191, 223, 88, 72, 221, 229, 63, 123, 177, 146, 167, 591 224, 18, 24, 0, 48, 12, 6, 3, 85, 29, 19, 1, 1, 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 592 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85, 29, 37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43, 593 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29, 35, 4, 24, 48, 22, 128, 20, 43, 80, 133, 594 205, 3, 144, 105, 186, 141, 39, 47, 176, 39, 123, 149, 250, 100, 138, 233, 225, 48, 10, 595 6, 8, 42, 134, 72, 206, 61, 4, 3, 2, 3, 72, 0, 48, 69, 2, 32, 107, 43, 12, 27, 111, 596 216, 19, 191, 199, 1, 202, 22, 147, 43, 16, 188, 36, 156, 141, 80, 115, 124, 160, 211, 597 19, 123, 41, 216, 94, 19, 236, 0, 2, 33, 0, 164, 138, 200, 40, 159, 245, 38, 70, 207, 598 160, 121, 19, 56, 240, 18, 222, 191, 196, 217, 129, 24, 92, 238, 43, 39, 29, 57, 85, 599 56, 11, 178, 88, 600 ] 601 .as_slice(); 602 assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash { 603 Hash::Sha256(ref hash) => *hash == Sha256::digest(CERT), 604 _ => false, 605 }),); 606 } 607 #[test] 608 fn test_parse_ecdsa_sha384() { 609 /// Certificate that uses ECDSA with SHA-384. 610 const CERT: &[u8] = [ 611 48, 130, 1, 218, 48, 130, 1, 128, 160, 3, 2, 1, 2, 2, 1, 25, 48, 10, 6, 8, 42, 134, 72, 612 206, 61, 4, 3, 3, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 16, 48, 14, 613 6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 3, 85, 4, 3, 614 12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 48, 51, 57, 51, 615 55, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 48, 51, 57, 51, 55, 90, 48, 43, 49, 11, 48, 616 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 84, 101, 115, 617 116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 118, 48, 16, 6, 7, 618 42, 134, 72, 206, 61, 2, 1, 6, 5, 43, 129, 4, 0, 34, 3, 98, 0, 4, 246, 106, 156, 228, 619 83, 166, 254, 62, 196, 22, 127, 171, 204, 182, 154, 182, 253, 35, 95, 120, 253, 231, 620 78, 20, 146, 203, 186, 201, 147, 48, 197, 96, 195, 202, 5, 235, 201, 168, 28, 117, 62, 621 47, 121, 211, 58, 67, 32, 96, 129, 15, 215, 172, 135, 222, 180, 101, 196, 18, 41, 107, 622 6, 161, 172, 183, 217, 106, 227, 24, 140, 13, 145, 245, 137, 185, 4, 78, 210, 56, 235, 623 159, 203, 241, 203, 239, 39, 90, 98, 227, 215, 221, 119, 65, 47, 68, 2, 200, 163, 117, 624 48, 115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 88, 91, 22, 70, 200, 54, 182, 100, 625 191, 186, 73, 152, 174, 87, 56, 64, 26, 173, 27, 43, 48, 12, 6, 3, 85, 29, 19, 1, 1, 626 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85, 29, 627 37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29, 35, 628 4, 24, 48, 22, 128, 20, 43, 80, 133, 205, 3, 144, 105, 186, 141, 39, 47, 176, 39, 123, 629 149, 250, 100, 138, 233, 225, 48, 10, 6, 8, 42, 134, 72, 206, 61, 4, 3, 3, 3, 72, 0, 630 48, 69, 2, 33, 0, 210, 47, 45, 107, 132, 43, 161, 65, 132, 15, 148, 184, 203, 125, 234, 631 232, 111, 216, 238, 113, 187, 201, 114, 177, 218, 234, 201, 126, 204, 118, 80, 225, 2, 632 32, 67, 111, 72, 96, 182, 167, 191, 130, 118, 105, 253, 133, 58, 38, 65, 112, 234, 3, 633 23, 77, 182, 0, 195, 80, 181, 65, 76, 243, 4, 145, 200, 255, 634 ] 635 .as_slice(); 636 assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash { 637 Hash::Sha384(ref hash) => *hash == Sha384::digest(CERT), 638 _ => false, 639 }),); 640 } 641 #[test] 642 fn test_parse_ecdsa_sha512() { 643 /// Certificate that uses ECDSA with SHA-512. 644 const CERT: &[u8] = [ 645 48, 130, 2, 1, 48, 130, 1, 166, 160, 3, 2, 1, 2, 2, 1, 24, 48, 10, 6, 8, 42, 134, 72, 646 206, 61, 4, 3, 4, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 16, 48, 14, 647 6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 3, 85, 4, 3, 648 12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 48, 51, 56, 51, 649 54, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 48, 51, 56, 51, 54, 90, 48, 43, 49, 11, 48, 650 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 84, 101, 115, 651 116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 129, 155, 48, 16, 6, 652 7, 42, 134, 72, 206, 61, 2, 1, 6, 5, 43, 129, 4, 0, 35, 3, 129, 134, 0, 4, 1, 86, 143, 653 210, 217, 20, 143, 103, 172, 34, 97, 62, 173, 15, 43, 199, 93, 220, 81, 75, 137, 219, 654 111, 217, 127, 6, 8, 115, 160, 121, 146, 138, 64, 110, 14, 193, 98, 164, 226, 208, 89, 655 120, 108, 30, 107, 77, 194, 63, 41, 112, 173, 112, 44, 85, 54, 155, 168, 189, 235, 129, 656 214, 104, 152, 198, 252, 62, 1, 87, 193, 205, 162, 152, 15, 26, 111, 231, 183, 106, 657 145, 29, 251, 188, 148, 239, 192, 53, 186, 34, 13, 104, 231, 85, 127, 17, 67, 54, 116, 658 232, 85, 23, 143, 68, 171, 30, 25, 155, 201, 171, 106, 89, 20, 234, 12, 192, 68, 102, 659 166, 50, 246, 130, 117, 62, 222, 142, 98, 62, 43, 9, 109, 74, 138, 180, 163, 117, 48, 660 115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 148, 160, 104, 250, 171, 155, 48, 171, 13, 661 164, 221, 144, 240, 194, 250, 9, 183, 72, 158, 141, 48, 12, 6, 3, 85, 29, 19, 1, 1, 662 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85, 29, 663 37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29, 35, 664 4, 24, 48, 22, 128, 20, 43, 80, 133, 205, 3, 144, 105, 186, 141, 39, 47, 176, 39, 123, 665 149, 250, 100, 138, 233, 225, 48, 10, 6, 8, 42, 134, 72, 206, 61, 4, 3, 4, 3, 73, 0, 666 48, 70, 2, 33, 0, 179, 24, 50, 50, 127, 141, 167, 197, 29, 35, 234, 81, 215, 112, 233, 667 218, 84, 151, 136, 117, 40, 106, 164, 156, 205, 75, 6, 133, 64, 52, 161, 116, 2, 33, 0, 668 141, 178, 46, 201, 22, 126, 42, 84, 96, 191, 175, 219, 140, 72, 252, 6, 152, 112, 113, 669 232, 38, 101, 11, 215, 20, 143, 22, 199, 38, 237, 179, 108, 670 ] 671 .as_slice(); 672 assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash { 673 Hash::Sha512(ref hash) => *hash == Sha512::digest(CERT), 674 _ => false, 675 }),); 676 } 677 #[test] 678 fn test_parse_ecdsa_sha224() { 679 /// Certificate that uses ECDSA with SHA-224. 680 const CERT: &[u8] = [ 681 48, 130, 1, 178, 48, 130, 1, 88, 160, 3, 2, 1, 2, 2, 1, 28, 48, 10, 6, 8, 42, 134, 72, 682 206, 61, 4, 3, 1, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 16, 48, 14, 683 6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 3, 85, 4, 3, 684 12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 48, 52, 50, 49, 685 52, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 48, 52, 50, 49, 52, 90, 48, 43, 49, 11, 48, 686 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 84, 101, 115, 687 116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 78, 48, 16, 6, 7, 688 42, 134, 72, 206, 61, 2, 1, 6, 5, 43, 129, 4, 0, 33, 3, 58, 0, 4, 235, 241, 149, 78, 689 60, 248, 123, 132, 195, 228, 188, 151, 240, 28, 76, 198, 207, 121, 165, 126, 245, 158, 690 214, 232, 69, 198, 114, 117, 86, 137, 15, 86, 40, 171, 27, 36, 8, 43, 190, 138, 193, 691 136, 118, 43, 29, 119, 182, 21, 14, 123, 110, 81, 81, 72, 44, 195, 163, 117, 48, 115, 692 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 203, 141, 20, 54, 48, 176, 180, 57, 46, 1, 91, 693 221, 116, 154, 205, 81, 187, 184, 24, 211, 48, 12, 6, 3, 85, 29, 19, 1, 1, 255, 4, 2, 694 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85, 29, 37, 1, 1, 695 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29, 35, 4, 24, 48, 696 22, 128, 20, 43, 80, 133, 205, 3, 144, 105, 186, 141, 39, 47, 176, 39, 123, 149, 250, 697 100, 138, 233, 225, 48, 10, 6, 8, 42, 134, 72, 206, 61, 4, 3, 1, 3, 72, 0, 48, 69, 2, 698 32, 64, 186, 179, 226, 82, 176, 87, 158, 166, 22, 31, 27, 19, 190, 112, 167, 241, 159, 699 33, 198, 60, 70, 68, 120, 19, 63, 33, 244, 236, 240, 216, 181, 2, 33, 0, 252, 183, 115, 700 52, 189, 151, 44, 178, 62, 209, 159, 31, 154, 152, 69, 189, 121, 148, 57, 231, 27, 22, 701 165, 212, 65, 202, 124, 15, 53, 150, 93, 183, 702 ] 703 .as_slice(); 704 assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash { 705 Hash::Sha224(ref hash) => *hash == Sha224::digest(CERT), 706 _ => false, 707 }),); 708 } 709 #[test] 710 fn test_parse_rsa_sha256() { 711 /// Certificate that uses RSA with SHA-256. 712 const CERT: &[u8] = [ 713 48, 130, 3, 73, 48, 130, 2, 49, 160, 3, 2, 1, 2, 2, 1, 31, 48, 13, 6, 9, 42, 134, 72, 714 134, 247, 13, 1, 1, 11, 5, 0, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 715 16, 48, 14, 6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 716 3, 85, 4, 3, 12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 49, 717 48, 51, 48, 53, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 49, 48, 51, 48, 53, 90, 48, 43, 718 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 719 84, 101, 115, 116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 130, 720 1, 34, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 1, 5, 0, 3, 130, 1, 15, 0, 48, 721 130, 1, 10, 2, 130, 1, 1, 0, 157, 28, 83, 190, 61, 252, 154, 205, 112, 191, 153, 197, 722 22, 159, 92, 161, 84, 84, 181, 67, 218, 26, 189, 52, 245, 184, 150, 248, 142, 15, 214, 723 118, 205, 243, 107, 45, 103, 205, 9, 198, 129, 115, 7, 195, 115, 131, 34, 244, 217, 42, 724 234, 170, 84, 41, 128, 49, 81, 175, 208, 42, 100, 168, 44, 145, 226, 11, 98, 245, 83, 725 134, 213, 30, 76, 239, 43, 82, 222, 175, 254, 135, 124, 16, 218, 105, 159, 219, 43, 8, 726 109, 1, 228, 16, 190, 160, 28, 100, 120, 245, 100, 164, 45, 128, 181, 238, 152, 227, 727 50, 63, 162, 191, 4, 173, 210, 254, 31, 141, 66, 193, 237, 20, 92, 34, 13, 74, 135, 80, 728 201, 12, 158, 51, 54, 91, 53, 97, 115, 212, 97, 6, 160, 45, 77, 40, 165, 55, 128, 230, 729 105, 31, 76, 197, 211, 111, 197, 169, 167, 136, 2, 249, 117, 65, 127, 163, 217, 169, 730 151, 97, 209, 194, 179, 203, 81, 58, 52, 66, 11, 184, 172, 97, 70, 124, 125, 151, 159, 731 102, 224, 24, 159, 233, 169, 95, 66, 17, 180, 69, 48, 233, 5, 250, 37, 55, 35, 200, 732 212, 225, 197, 240, 19, 22, 106, 101, 171, 190, 135, 3, 75, 157, 240, 149, 107, 208, 733 94, 58, 244, 204, 105, 9, 32, 203, 162, 194, 39, 12, 97, 16, 153, 236, 60, 93, 24, 252, 734 103, 231, 164, 19, 55, 233, 181, 103, 135, 187, 40, 202, 210, 125, 88, 73, 2, 3, 1, 0, 735 1, 163, 117, 48, 115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 91, 156, 56, 249, 82, 5, 736 5, 2, 2, 21, 57, 237, 90, 8, 188, 55, 139, 113, 229, 132, 48, 12, 6, 3, 85, 29, 19, 1, 737 1, 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85, 738 29, 37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29, 739 35, 4, 24, 48, 22, 128, 20, 96, 178, 34, 145, 205, 104, 56, 196, 211, 241, 34, 247, 740 125, 194, 215, 110, 191, 133, 151, 15, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 741 11, 5, 0, 3, 130, 1, 1, 0, 28, 109, 109, 197, 99, 197, 36, 180, 154, 215, 173, 215, 24, 742 94, 47, 218, 147, 163, 179, 123, 248, 3, 144, 109, 173, 207, 49, 113, 249, 188, 31, 743 178, 16, 88, 88, 56, 11, 86, 127, 193, 23, 165, 65, 190, 84, 170, 156, 190, 52, 87, 744 119, 213, 106, 184, 11, 204, 151, 148, 205, 100, 233, 46, 170, 45, 161, 100, 58, 46, 745 105, 25, 150, 78, 146, 41, 100, 125, 203, 214, 238, 104, 251, 25, 183, 66, 102, 241, 746 110, 56, 55, 205, 122, 234, 205, 90, 91, 247, 143, 129, 217, 6, 190, 120, 18, 190, 11, 747 121, 207, 142, 170, 57, 236, 243, 113, 53, 167, 188, 26, 134, 175, 107, 195, 48, 119, 748 78, 117, 157, 104, 247, 65, 122, 153, 234, 166, 88, 142, 228, 25, 120, 243, 51, 111, 8, 749 43, 199, 255, 162, 186, 18, 64, 54, 96, 44, 138, 144, 237, 89, 176, 189, 245, 194, 96, 750 232, 196, 0, 50, 51, 98, 32, 163, 177, 130, 113, 41, 116, 33, 40, 190, 111, 79, 108, 751 107, 159, 65, 87, 222, 173, 170, 39, 29, 97, 240, 107, 130, 101, 247, 123, 85, 123, 752 247, 221, 89, 159, 114, 157, 35, 153, 22, 127, 149, 224, 158, 236, 4, 137, 193, 135, 753 136, 97, 222, 83, 232, 205, 148, 127, 139, 78, 220, 10, 183, 139, 205, 190, 181, 36, 754 61, 155, 88, 163, 50, 120, 153, 41, 182, 75, 219, 95, 25, 40, 229, 106, 87, 215, 77, 755 50, 219, 97, 756 ] 757 .as_slice(); 758 assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash { 759 Hash::Sha256(ref hash) => *hash == Sha256::digest(CERT), 760 _ => false, 761 }),); 762 } 763 #[test] 764 fn test_parse_rsa_sha384() { 765 /// Certificate that uses RSA with SHA-384. 766 const CERT: &[u8] = [ 767 48, 130, 3, 73, 48, 130, 2, 49, 160, 3, 2, 1, 2, 2, 1, 32, 48, 13, 6, 9, 42, 134, 72, 768 134, 247, 13, 1, 1, 12, 5, 0, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 769 16, 48, 14, 6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 770 3, 85, 4, 3, 12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 49, 771 48, 53, 52, 54, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 49, 48, 53, 52, 54, 90, 48, 43, 772 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 773 84, 101, 115, 116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 130, 774 1, 34, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 1, 5, 0, 3, 130, 1, 15, 0, 48, 775 130, 1, 10, 2, 130, 1, 1, 0, 157, 28, 83, 190, 61, 252, 154, 205, 112, 191, 153, 197, 776 22, 159, 92, 161, 84, 84, 181, 67, 218, 26, 189, 52, 245, 184, 150, 248, 142, 15, 214, 777 118, 205, 243, 107, 45, 103, 205, 9, 198, 129, 115, 7, 195, 115, 131, 34, 244, 217, 42, 778 234, 170, 84, 41, 128, 49, 81, 175, 208, 42, 100, 168, 44, 145, 226, 11, 98, 245, 83, 779 134, 213, 30, 76, 239, 43, 82, 222, 175, 254, 135, 124, 16, 218, 105, 159, 219, 43, 8, 780 109, 1, 228, 16, 190, 160, 28, 100, 120, 245, 100, 164, 45, 128, 181, 238, 152, 227, 781 50, 63, 162, 191, 4, 173, 210, 254, 31, 141, 66, 193, 237, 20, 92, 34, 13, 74, 135, 80, 782 201, 12, 158, 51, 54, 91, 53, 97, 115, 212, 97, 6, 160, 45, 77, 40, 165, 55, 128, 230, 783 105, 31, 76, 197, 211, 111, 197, 169, 167, 136, 2, 249, 117, 65, 127, 163, 217, 169, 784 151, 97, 209, 194, 179, 203, 81, 58, 52, 66, 11, 184, 172, 97, 70, 124, 125, 151, 159, 785 102, 224, 24, 159, 233, 169, 95, 66, 17, 180, 69, 48, 233, 5, 250, 37, 55, 35, 200, 786 212, 225, 197, 240, 19, 22, 106, 101, 171, 190, 135, 3, 75, 157, 240, 149, 107, 208, 787 94, 58, 244, 204, 105, 9, 32, 203, 162, 194, 39, 12, 97, 16, 153, 236, 60, 93, 24, 252, 788 103, 231, 164, 19, 55, 233, 181, 103, 135, 187, 40, 202, 210, 125, 88, 73, 2, 3, 1, 0, 789 1, 163, 117, 48, 115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 91, 156, 56, 249, 82, 5, 790 5, 2, 2, 21, 57, 237, 90, 8, 188, 55, 139, 113, 229, 132, 48, 12, 6, 3, 85, 29, 19, 1, 791 1, 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85, 792 29, 37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29, 793 35, 4, 24, 48, 22, 128, 20, 96, 178, 34, 145, 205, 104, 56, 196, 211, 241, 34, 247, 794 125, 194, 215, 110, 191, 133, 151, 15, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 795 12, 5, 0, 3, 130, 1, 1, 0, 135, 249, 101, 184, 225, 162, 164, 193, 23, 81, 98, 221, 796 134, 87, 34, 94, 229, 131, 221, 17, 38, 61, 156, 200, 113, 94, 244, 188, 226, 84, 74, 797 96, 205, 237, 230, 242, 168, 238, 178, 133, 68, 188, 80, 244, 60, 42, 169, 54, 66, 79, 798 104, 66, 251, 27, 240, 108, 16, 46, 175, 62, 240, 194, 7, 181, 238, 211, 118, 149, 150, 799 46, 97, 39, 28, 173, 225, 49, 73, 206, 147, 101, 12, 192, 218, 119, 208, 73, 20, 208, 800 229, 216, 133, 213, 28, 165, 70, 20, 158, 114, 223, 40, 121, 13, 236, 218, 165, 237, 801 164, 196, 94, 80, 120, 49, 212, 241, 213, 197, 201, 104, 67, 223, 130, 148, 197, 251, 802 199, 167, 6, 89, 146, 139, 141, 32, 78, 72, 190, 146, 94, 251, 208, 47, 118, 173, 111, 803 92, 241, 102, 26, 233, 145, 46, 220, 230, 5, 147, 220, 92, 240, 133, 24, 192, 71, 49, 804 252, 84, 163, 132, 34, 139, 12, 106, 4, 189, 151, 37, 34, 123, 26, 42, 84, 46, 232, 14, 805 129, 101, 84, 26, 25, 219, 11, 115, 214, 106, 12, 75, 199, 248, 218, 239, 209, 32, 159, 806 40, 192, 11, 2, 175, 51, 232, 20, 8, 72, 188, 184, 177, 22, 251, 238, 42, 74, 21, 25, 807 93, 77, 184, 5, 207, 101, 98, 60, 214, 173, 169, 56, 54, 211, 167, 55, 34, 14, 184, 25, 808 4, 170, 108, 94, 110, 27, 45, 11, 22, 61, 130, 63, 214, 168, 72, 809 ] 810 .as_slice(); 811 assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash { 812 Hash::Sha384(ref hash) => *hash == Sha384::digest(CERT), 813 _ => false, 814 }),); 815 } 816 #[test] 817 fn test_parse_rsa_sha512() { 818 /// Certificate that uses RSA with SHA-512. 819 const CERT: &[u8] = [ 820 48, 130, 3, 73, 48, 130, 2, 49, 160, 3, 2, 1, 2, 2, 1, 33, 48, 13, 6, 9, 42, 134, 72, 821 134, 247, 13, 1, 1, 13, 5, 0, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 822 16, 48, 14, 6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 823 3, 85, 4, 3, 12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 49, 824 48, 54, 52, 53, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 49, 48, 54, 52, 53, 90, 48, 43, 825 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 826 84, 101, 115, 116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 130, 827 1, 34, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 1, 5, 0, 3, 130, 1, 15, 0, 48, 828 130, 1, 10, 2, 130, 1, 1, 0, 157, 28, 83, 190, 61, 252, 154, 205, 112, 191, 153, 197, 829 22, 159, 92, 161, 84, 84, 181, 67, 218, 26, 189, 52, 245, 184, 150, 248, 142, 15, 214, 830 118, 205, 243, 107, 45, 103, 205, 9, 198, 129, 115, 7, 195, 115, 131, 34, 244, 217, 42, 831 234, 170, 84, 41, 128, 49, 81, 175, 208, 42, 100, 168, 44, 145, 226, 11, 98, 245, 83, 832 134, 213, 30, 76, 239, 43, 82, 222, 175, 254, 135, 124, 16, 218, 105, 159, 219, 43, 8, 833 109, 1, 228, 16, 190, 160, 28, 100, 120, 245, 100, 164, 45, 128, 181, 238, 152, 227, 834 50, 63, 162, 191, 4, 173, 210, 254, 31, 141, 66, 193, 237, 20, 92, 34, 13, 74, 135, 80, 835 201, 12, 158, 51, 54, 91, 53, 97, 115, 212, 97, 6, 160, 45, 77, 40, 165, 55, 128, 230, 836 105, 31, 76, 197, 211, 111, 197, 169, 167, 136, 2, 249, 117, 65, 127, 163, 217, 169, 837 151, 97, 209, 194, 179, 203, 81, 58, 52, 66, 11, 184, 172, 97, 70, 124, 125, 151, 159, 838 102, 224, 24, 159, 233, 169, 95, 66, 17, 180, 69, 48, 233, 5, 250, 37, 55, 35, 200, 839 212, 225, 197, 240, 19, 22, 106, 101, 171, 190, 135, 3, 75, 157, 240, 149, 107, 208, 840 94, 58, 244, 204, 105, 9, 32, 203, 162, 194, 39, 12, 97, 16, 153, 236, 60, 93, 24, 252, 841 103, 231, 164, 19, 55, 233, 181, 103, 135, 187, 40, 202, 210, 125, 88, 73, 2, 3, 1, 0, 842 1, 163, 117, 48, 115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 91, 156, 56, 249, 82, 5, 843 5, 2, 2, 21, 57, 237, 90, 8, 188, 55, 139, 113, 229, 132, 48, 12, 6, 3, 85, 29, 19, 1, 844 1, 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85, 845 29, 37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29, 846 35, 4, 24, 48, 22, 128, 20, 96, 178, 34, 145, 205, 104, 56, 196, 211, 241, 34, 247, 847 125, 194, 215, 110, 191, 133, 151, 15, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 848 13, 5, 0, 3, 130, 1, 1, 0, 106, 7, 136, 82, 232, 55, 0, 98, 9, 211, 201, 57, 239, 67, 849 167, 139, 225, 164, 231, 255, 10, 52, 47, 234, 254, 75, 239, 241, 39, 6, 226, 209, 210, 850 169, 200, 32, 255, 83, 159, 23, 146, 9, 109, 173, 236, 216, 253, 199, 229, 23, 227, 33, 851 56, 98, 109, 59, 2, 167, 29, 118, 251, 82, 193, 39, 244, 191, 166, 194, 160, 105, 197, 852 190, 213, 141, 193, 50, 45, 245, 163, 229, 116, 221, 29, 194, 91, 198, 187, 21, 224, 853 95, 17, 203, 148, 160, 4, 15, 54, 249, 69, 12, 18, 25, 58, 190, 205, 44, 157, 184, 1, 854 25, 64, 219, 237, 196, 33, 101, 255, 146, 232, 112, 247, 214, 174, 252, 152, 146, 142, 855 231, 81, 35, 240, 216, 98, 136, 65, 179, 237, 207, 229, 198, 72, 175, 244, 31, 126, 856 106, 107, 100, 200, 81, 227, 41, 61, 26, 122, 226, 121, 219, 131, 212, 206, 238, 14, 857 210, 70, 60, 107, 115, 214, 67, 180, 133, 157, 114, 138, 63, 249, 71, 235, 41, 246, 14, 858 14, 4, 254, 208, 215, 111, 196, 248, 117, 61, 44, 67, 185, 11, 132, 10, 188, 220, 110, 859 78, 61, 171, 88, 172, 161, 1, 223, 52, 75, 101, 55, 249, 125, 178, 141, 127, 0, 246, 860 176, 34, 120, 93, 214, 37, 210, 148, 217, 149, 255, 63, 32, 58, 8, 71, 179, 62, 119, 861 14, 47, 191, 207, 137, 22, 255, 21, 71, 46, 42, 176, 31, 206, 146, 248, 105, 862 ] 863 .as_slice(); 864 assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash { 865 Hash::Sha512(ref hash) => *hash == Sha512::digest(CERT), 866 _ => false, 867 }),); 868 } 869 #[test] 870 fn test_parse_rsa_sha224() { 871 /// Certificate that uses RSA with SHA-224. 872 const CERT: &[u8] = [ 873 48, 130, 3, 73, 48, 130, 2, 49, 160, 3, 2, 1, 2, 2, 1, 30, 48, 13, 6, 9, 42, 134, 72, 874 134, 247, 13, 1, 1, 14, 5, 0, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 875 16, 48, 14, 6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 876 3, 85, 4, 3, 12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 48, 877 53, 57, 50, 56, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 48, 53, 57, 50, 56, 90, 48, 43, 878 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 879 84, 101, 115, 116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 130, 880 1, 34, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 1, 5, 0, 3, 130, 1, 15, 0, 48, 881 130, 1, 10, 2, 130, 1, 1, 0, 157, 28, 83, 190, 61, 252, 154, 205, 112, 191, 153, 197, 882 22, 159, 92, 161, 84, 84, 181, 67, 218, 26, 189, 52, 245, 184, 150, 248, 142, 15, 214, 883 118, 205, 243, 107, 45, 103, 205, 9, 198, 129, 115, 7, 195, 115, 131, 34, 244, 217, 42, 884 234, 170, 84, 41, 128, 49, 81, 175, 208, 42, 100, 168, 44, 145, 226, 11, 98, 245, 83, 885 134, 213, 30, 76, 239, 43, 82, 222, 175, 254, 135, 124, 16, 218, 105, 159, 219, 43, 8, 886 109, 1, 228, 16, 190, 160, 28, 100, 120, 245, 100, 164, 45, 128, 181, 238, 152, 227, 887 50, 63, 162, 191, 4, 173, 210, 254, 31, 141, 66, 193, 237, 20, 92, 34, 13, 74, 135, 80, 888 201, 12, 158, 51, 54, 91, 53, 97, 115, 212, 97, 6, 160, 45, 77, 40, 165, 55, 128, 230, 889 105, 31, 76, 197, 211, 111, 197, 169, 167, 136, 2, 249, 117, 65, 127, 163, 217, 169, 890 151, 97, 209, 194, 179, 203, 81, 58, 52, 66, 11, 184, 172, 97, 70, 124, 125, 151, 159, 891 102, 224, 24, 159, 233, 169, 95, 66, 17, 180, 69, 48, 233, 5, 250, 37, 55, 35, 200, 892 212, 225, 197, 240, 19, 22, 106, 101, 171, 190, 135, 3, 75, 157, 240, 149, 107, 208, 893 94, 58, 244, 204, 105, 9, 32, 203, 162, 194, 39, 12, 97, 16, 153, 236, 60, 93, 24, 252, 894 103, 231, 164, 19, 55, 233, 181, 103, 135, 187, 40, 202, 210, 125, 88, 73, 2, 3, 1, 0, 895 1, 163, 117, 48, 115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 91, 156, 56, 249, 82, 5, 896 5, 2, 2, 21, 57, 237, 90, 8, 188, 55, 139, 113, 229, 132, 48, 12, 6, 3, 85, 29, 19, 1, 897 1, 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85, 898 29, 37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29, 899 35, 4, 24, 48, 22, 128, 20, 96, 178, 34, 145, 205, 104, 56, 196, 211, 241, 34, 247, 900 125, 194, 215, 110, 191, 133, 151, 15, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 901 14, 5, 0, 3, 130, 1, 1, 0, 122, 121, 0, 201, 250, 195, 66, 213, 60, 117, 213, 188, 93, 902 193, 88, 130, 241, 219, 111, 238, 109, 38, 220, 131, 164, 12, 135, 169, 58, 140, 214, 903 211, 93, 51, 204, 242, 10, 119, 123, 23, 69, 67, 135, 151, 245, 23, 144, 61, 233, 229, 904 122, 189, 111, 89, 190, 100, 251, 86, 185, 246, 40, 121, 190, 192, 199, 119, 232, 209, 905 202, 23, 20, 46, 48, 235, 175, 240, 225, 106, 6, 24, 239, 172, 51, 196, 63, 189, 210, 906 167, 244, 87, 245, 193, 130, 33, 171, 165, 117, 180, 25, 250, 21, 6, 208, 124, 254, 64, 907 180, 50, 124, 234, 179, 121, 183, 0, 71, 118, 28, 115, 86, 117, 60, 96, 164, 33, 54, 1, 908 86, 234, 132, 146, 156, 221, 52, 28, 39, 237, 128, 75, 157, 169, 203, 26, 48, 74, 4, 909 129, 162, 139, 235, 16, 74, 236, 151, 0, 150, 234, 246, 204, 180, 240, 31, 92, 129, 51, 910 221, 118, 10, 192, 140, 32, 33, 21, 223, 113, 35, 86, 47, 236, 159, 252, 52, 185, 41, 911 151, 56, 126, 251, 165, 126, 214, 27, 213, 169, 211, 174, 26, 55, 21, 11, 187, 189, 96, 912 67, 141, 124, 178, 51, 37, 80, 17, 220, 210, 193, 243, 127, 46, 82, 75, 172, 187, 156, 913 222, 186, 3, 13, 194, 104, 234, 131, 96, 99, 34, 1, 61, 149, 219, 33, 227, 34, 215, 914 211, 82, 106, 57, 61, 185, 178, 1, 191, 14, 196, 52, 5, 38, 27, 232, 915 ] 916 .as_slice(); 917 assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash { 918 Hash::Sha224(ref hash) => *hash == Sha224::digest(CERT), 919 _ => false, 920 }),); 921 } 922 #[test] 923 fn test_parse_rsa_sha1() { 924 /// Certificate that uses RSA with SHA-1. 925 const CERT: &[u8] = [ 926 48, 130, 3, 73, 48, 130, 2, 49, 160, 3, 2, 1, 2, 2, 1, 34, 48, 13, 6, 9, 42, 134, 72, 927 134, 247, 13, 1, 1, 5, 5, 0, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 928 16, 48, 14, 6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 929 3, 85, 4, 3, 12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 49, 930 48, 57, 50, 56, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 49, 48, 57, 50, 56, 90, 48, 43, 931 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 932 84, 101, 115, 116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 130, 933 1, 34, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 1, 5, 0, 3, 130, 1, 15, 0, 48, 934 130, 1, 10, 2, 130, 1, 1, 0, 157, 28, 83, 190, 61, 252, 154, 205, 112, 191, 153, 197, 935 22, 159, 92, 161, 84, 84, 181, 67, 218, 26, 189, 52, 245, 184, 150, 248, 142, 15, 214, 936 118, 205, 243, 107, 45, 103, 205, 9, 198, 129, 115, 7, 195, 115, 131, 34, 244, 217, 42, 937 234, 170, 84, 41, 128, 49, 81, 175, 208, 42, 100, 168, 44, 145, 226, 11, 98, 245, 83, 938 134, 213, 30, 76, 239, 43, 82, 222, 175, 254, 135, 124, 16, 218, 105, 159, 219, 43, 8, 939 109, 1, 228, 16, 190, 160, 28, 100, 120, 245, 100, 164, 45, 128, 181, 238, 152, 227, 940 50, 63, 162, 191, 4, 173, 210, 254, 31, 141, 66, 193, 237, 20, 92, 34, 13, 74, 135, 80, 941 201, 12, 158, 51, 54, 91, 53, 97, 115, 212, 97, 6, 160, 45, 77, 40, 165, 55, 128, 230, 942 105, 31, 76, 197, 211, 111, 197, 169, 167, 136, 2, 249, 117, 65, 127, 163, 217, 169, 943 151, 97, 209, 194, 179, 203, 81, 58, 52, 66, 11, 184, 172, 97, 70, 124, 125, 151, 159, 944 102, 224, 24, 159, 233, 169, 95, 66, 17, 180, 69, 48, 233, 5, 250, 37, 55, 35, 200, 945 212, 225, 197, 240, 19, 22, 106, 101, 171, 190, 135, 3, 75, 157, 240, 149, 107, 208, 946 94, 58, 244, 204, 105, 9, 32, 203, 162, 194, 39, 12, 97, 16, 153, 236, 60, 93, 24, 252, 947 103, 231, 164, 19, 55, 233, 181, 103, 135, 187, 40, 202, 210, 125, 88, 73, 2, 3, 1, 0, 948 1, 163, 117, 48, 115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 91, 156, 56, 249, 82, 5, 949 5, 2, 2, 21, 57, 237, 90, 8, 188, 55, 139, 113, 229, 132, 48, 12, 6, 3, 85, 29, 19, 1, 950 1, 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85, 951 29, 37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29, 952 35, 4, 24, 48, 22, 128, 20, 96, 178, 34, 145, 205, 104, 56, 196, 211, 241, 34, 247, 953 125, 194, 215, 110, 191, 133, 151, 15, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 954 5, 5, 0, 3, 130, 1, 1, 0, 12, 93, 61, 154, 152, 205, 44, 219, 157, 214, 4, 162, 93, 85, 955 60, 231, 231, 206, 193, 160, 133, 28, 61, 113, 102, 120, 137, 120, 175, 11, 244, 113, 956 217, 81, 151, 123, 210, 108, 156, 145, 99, 158, 104, 10, 25, 129, 95, 128, 140, 44, 957 153, 65, 175, 32, 37, 189, 186, 43, 101, 153, 98, 160, 95, 13, 154, 86, 221, 99, 210, 958 157, 25, 41, 98, 79, 252, 2, 8, 221, 120, 71, 54, 221, 34, 180, 109, 181, 185, 58, 2, 959 119, 167, 50, 172, 167, 192, 136, 24, 227, 40, 211, 18, 98, 2, 175, 174, 42, 100, 136, 960 83, 116, 7, 50, 50, 215, 164, 90, 49, 231, 106, 240, 246, 95, 236, 60, 198, 97, 200, 961 140, 23, 168, 183, 174, 132, 39, 251, 61, 112, 226, 66, 68, 16, 23, 213, 129, 86, 196, 962 248, 82, 141, 82, 107, 246, 224, 37, 94, 95, 134, 139, 75, 15, 70, 54, 47, 80, 19, 143, 963 48, 171, 113, 130, 226, 180, 39, 18, 44, 117, 113, 196, 20, 11, 82, 174, 251, 197, 216, 964 152, 229, 188, 148, 191, 165, 149, 50, 127, 172, 111, 95, 194, 63, 238, 112, 154, 85, 965 98, 18, 236, 13, 123, 232, 90, 47, 180, 36, 148, 77, 192, 45, 113, 150, 10, 254, 99, 0, 966 30, 87, 80, 22, 61, 78, 66, 180, 251, 220, 8, 78, 175, 251, 27, 201, 79, 197, 45, 127, 967 143, 163, 7, 252, 246, 45, 127, 87, 224, 125, 175, 245, 115, 968 ] 969 .as_slice(); 970 assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash { 971 Hash::Sha256(ref hash) => *hash == Sha256::digest(CERT), 972 _ => false, 973 }),); 974 } 975 #[test] 976 fn test_parse_dsa_sha256() { 977 /// Certificate that uses DSA with SHA-256. 978 const CERT: &[u8] = [ 979 48, 130, 4, 162, 48, 130, 4, 79, 160, 3, 2, 1, 2, 2, 1, 37, 48, 11, 6, 9, 96, 134, 72, 980 1, 101, 3, 4, 3, 2, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 16, 48, 981 14, 6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 3, 85, 4, 982 3, 12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 49, 50, 51, 983 48, 51, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 49, 50, 51, 48, 51, 90, 48, 43, 49, 11, 984 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 84, 101, 985 115, 116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 130, 3, 66, 48, 986 130, 2, 53, 6, 7, 42, 134, 72, 206, 56, 4, 1, 48, 130, 2, 40, 2, 130, 1, 1, 0, 172, 11, 987 194, 123, 239, 38, 183, 160, 91, 74, 179, 251, 72, 80, 38, 223, 195, 46, 238, 2, 67, 988 45, 138, 58, 62, 57, 85, 203, 148, 194, 164, 178, 195, 150, 29, 93, 245, 157, 225, 189, 989 125, 209, 186, 83, 234, 14, 179, 116, 156, 216, 112, 205, 152, 26, 168, 175, 111, 106, 990 249, 235, 49, 40, 246, 31, 152, 214, 59, 117, 64, 109, 28, 167, 222, 155, 132, 192, 991 180, 240, 8, 80, 209, 209, 119, 53, 165, 51, 189, 18, 158, 176, 171, 45, 160, 54, 8, 992 75, 146, 92, 245, 202, 188, 144, 36, 156, 127, 140, 220, 144, 56, 95, 38, 112, 44, 221, 993 159, 9, 159, 189, 153, 150, 88, 84, 73, 138, 6, 73, 141, 17, 28, 110, 159, 141, 21, 994 232, 13, 90, 130, 251, 177, 168, 242, 201, 222, 138, 182, 233, 142, 229, 24, 47, 186, 995 56, 245, 177, 250, 253, 2, 11, 115, 29, 6, 156, 168, 117, 22, 15, 152, 183, 137, 25, 996 188, 24, 22, 120, 195, 17, 97, 16, 85, 234, 95, 53, 156, 244, 146, 53, 183, 235, 71, 997 24, 163, 139, 70, 227, 235, 154, 229, 210, 144, 81, 231, 161, 120, 117, 182, 245, 175, 998 25, 252, 21, 153, 130, 211, 180, 209, 164, 34, 248, 167, 8, 98, 181, 69, 52, 74, 120, 999 227, 165, 16, 172, 42, 107, 248, 42, 225, 46, 80, 11, 117, 92, 225, 27, 86, 4, 226, 29, 1000 85, 105, 208, 193, 120, 112, 39, 226, 20, 141, 2, 29, 0, 186, 229, 13, 141, 5, 89, 173, 1001 164, 148, 130, 205, 229, 23, 44, 125, 234, 49, 240, 196, 213, 6, 31, 233, 8, 99, 80, 1002 166, 239, 2, 130, 1, 0, 106, 152, 3, 177, 77, 235, 201, 25, 36, 150, 146, 246, 50, 67, 1003 97, 96, 245, 207, 14, 200, 60, 16, 229, 114, 211, 111, 193, 226, 252, 153, 176, 159, 1004 198, 41, 133, 157, 197, 38, 112, 217, 9, 205, 13, 85, 170, 94, 89, 60, 214, 117, 182, 1005 163, 81, 138, 122, 250, 48, 98, 43, 60, 186, 203, 147, 60, 74, 110, 89, 216, 73, 4, 1006 191, 1, 158, 174, 98, 201, 184, 25, 162, 239, 244, 139, 154, 173, 108, 135, 124, 166, 1007 152, 88, 237, 68, 145, 252, 33, 40, 237, 57, 53, 155, 215, 56, 12, 202, 22, 225, 7, 89, 1008 24, 245, 195, 164, 36, 172, 98, 26, 115, 10, 71, 27, 21, 255, 62, 212, 202, 71, 147, 1009 229, 6, 181, 19, 107, 136, 223, 239, 164, 243, 254, 101, 208, 122, 226, 150, 17, 251, 1010 218, 85, 169, 81, 177, 7, 190, 171, 230, 26, 149, 183, 181, 113, 140, 252, 212, 172, 1011 154, 200, 118, 69, 156, 108, 144, 11, 201, 135, 175, 19, 201, 116, 9, 80, 20, 19, 89, 1012 151, 198, 204, 253, 10, 155, 101, 159, 81, 190, 174, 58, 220, 250, 220, 212, 42, 111, 1013 33, 204, 114, 7, 30, 153, 73, 248, 209, 114, 36, 225, 6, 47, 106, 45, 226, 254, 175, 1014 201, 138, 254, 121, 184, 19, 143, 48, 67, 179, 99, 250, 189, 237, 58, 249, 194, 167, 1015 149, 162, 219, 27, 53, 67, 135, 193, 204, 253, 176, 245, 2, 211, 58, 176, 69, 14, 186, 1016 3, 130, 1, 5, 0, 2, 130, 1, 0, 97, 40, 15, 97, 210, 23, 118, 85, 75, 191, 251, 126, 1017 171, 47, 188, 57, 40, 41, 85, 48, 206, 169, 253, 233, 146, 161, 39, 232, 242, 19, 219, 1018 191, 172, 82, 78, 132, 153, 238, 120, 228, 99, 199, 197, 181, 74, 191, 123, 189, 80, 1019 203, 219, 50, 184, 193, 49, 160, 9, 41, 167, 133, 33, 151, 52, 196, 61, 29, 102, 233, 1020 163, 249, 121, 248, 55, 144, 215, 55, 89, 142, 137, 249, 67, 112, 167, 42, 255, 67, 56, 1021 179, 106, 187, 79, 87, 54, 118, 186, 154, 48, 150, 204, 222, 102, 135, 254, 202, 9, 1022 166, 229, 176, 130, 37, 174, 139, 240, 43, 134, 75, 141, 35, 163, 203, 71, 153, 217, 1023 71, 181, 79, 35, 114, 55, 124, 20, 55, 110, 112, 223, 109, 239, 183, 210, 141, 59, 88, 1024 47, 40, 167, 154, 90, 99, 250, 146, 29, 226, 10, 70, 103, 246, 209, 36, 174, 177, 164, 1025 244, 126, 153, 106, 156, 92, 143, 140, 46, 49, 184, 125, 160, 246, 145, 178, 94, 11, 1026 153, 128, 59, 210, 11, 210, 42, 3, 138, 136, 147, 115, 96, 190, 68, 128, 25, 47, 26, 1027 231, 183, 247, 89, 28, 67, 220, 235, 88, 4, 228, 140, 148, 10, 98, 104, 101, 60, 115, 1028 39, 219, 183, 111, 62, 93, 133, 141, 219, 252, 51, 66, 224, 115, 158, 85, 46, 13, 171, 1029 31, 5, 210, 83, 68, 61, 92, 87, 241, 1, 215, 144, 233, 243, 68, 238, 197, 62, 54, 68, 1030 163, 117, 48, 115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 153, 40, 244, 111, 22, 53, 1031 83, 33, 46, 24, 242, 81, 89, 121, 91, 97, 190, 144, 138, 150, 48, 12, 6, 3, 85, 29, 19, 1032 1, 1, 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85, 1033 29, 37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29, 1034 35, 4, 24, 48, 22, 128, 20, 230, 93, 24, 66, 42, 224, 216, 63, 210, 30, 74, 173, 48, 1035 16, 195, 8, 166, 231, 232, 253, 48, 11, 6, 9, 96, 134, 72, 1, 101, 3, 4, 3, 2, 3, 64, 1036 0, 48, 61, 2, 28, 116, 130, 114, 201, 119, 192, 122, 114, 52, 255, 182, 233, 56, 153, 1037 169, 135, 12, 49, 236, 107, 72, 244, 178, 174, 32, 27, 13, 226, 2, 29, 0, 170, 35, 77, 1038 179, 10, 59, 85, 118, 124, 99, 48, 21, 125, 235, 57, 27, 60, 222, 102, 120, 20, 16, 1039 148, 80, 118, 28, 75, 176, 1040 ] 1041 .as_slice(); 1042 assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash { 1043 Hash::Sha256(ref hash) => *hash == Sha256::digest(CERT), 1044 _ => false, 1045 }),); 1046 } 1047 #[test] 1048 fn test_parse_dsa_sha224() { 1049 /// Certificate that uses DSA with SHA-224. 1050 const CERT: &[u8] = [ 1051 48, 130, 4, 163, 48, 130, 4, 79, 160, 3, 2, 1, 2, 2, 1, 36, 48, 11, 6, 9, 96, 134, 72, 1052 1, 101, 3, 4, 3, 1, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 16, 48, 1053 14, 6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 3, 85, 4, 1054 3, 12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 49, 50, 50, 1055 50, 53, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 49, 50, 50, 50, 53, 90, 48, 43, 49, 11, 1056 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 84, 101, 1057 115, 116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 130, 3, 66, 48, 1058 130, 2, 53, 6, 7, 42, 134, 72, 206, 56, 4, 1, 48, 130, 2, 40, 2, 130, 1, 1, 0, 172, 11, 1059 194, 123, 239, 38, 183, 160, 91, 74, 179, 251, 72, 80, 38, 223, 195, 46, 238, 2, 67, 1060 45, 138, 58, 62, 57, 85, 203, 148, 194, 164, 178, 195, 150, 29, 93, 245, 157, 225, 189, 1061 125, 209, 186, 83, 234, 14, 179, 116, 156, 216, 112, 205, 152, 26, 168, 175, 111, 106, 1062 249, 235, 49, 40, 246, 31, 152, 214, 59, 117, 64, 109, 28, 167, 222, 155, 132, 192, 1063 180, 240, 8, 80, 209, 209, 119, 53, 165, 51, 189, 18, 158, 176, 171, 45, 160, 54, 8, 1064 75, 146, 92, 245, 202, 188, 144, 36, 156, 127, 140, 220, 144, 56, 95, 38, 112, 44, 221, 1065 159, 9, 159, 189, 153, 150, 88, 84, 73, 138, 6, 73, 141, 17, 28, 110, 159, 141, 21, 1066 232, 13, 90, 130, 251, 177, 168, 242, 201, 222, 138, 182, 233, 142, 229, 24, 47, 186, 1067 56, 245, 177, 250, 253, 2, 11, 115, 29, 6, 156, 168, 117, 22, 15, 152, 183, 137, 25, 1068 188, 24, 22, 120, 195, 17, 97, 16, 85, 234, 95, 53, 156, 244, 146, 53, 183, 235, 71, 1069 24, 163, 139, 70, 227, 235, 154, 229, 210, 144, 81, 231, 161, 120, 117, 182, 245, 175, 1070 25, 252, 21, 153, 130, 211, 180, 209, 164, 34, 248, 167, 8, 98, 181, 69, 52, 74, 120, 1071 227, 165, 16, 172, 42, 107, 248, 42, 225, 46, 80, 11, 117, 92, 225, 27, 86, 4, 226, 29, 1072 85, 105, 208, 193, 120, 112, 39, 226, 20, 141, 2, 29, 0, 186, 229, 13, 141, 5, 89, 173, 1073 164, 148, 130, 205, 229, 23, 44, 125, 234, 49, 240, 196, 213, 6, 31, 233, 8, 99, 80, 1074 166, 239, 2, 130, 1, 0, 106, 152, 3, 177, 77, 235, 201, 25, 36, 150, 146, 246, 50, 67, 1075 97, 96, 245, 207, 14, 200, 60, 16, 229, 114, 211, 111, 193, 226, 252, 153, 176, 159, 1076 198, 41, 133, 157, 197, 38, 112, 217, 9, 205, 13, 85, 170, 94, 89, 60, 214, 117, 182, 1077 163, 81, 138, 122, 250, 48, 98, 43, 60, 186, 203, 147, 60, 74, 110, 89, 216, 73, 4, 1078 191, 1, 158, 174, 98, 201, 184, 25, 162, 239, 244, 139, 154, 173, 108, 135, 124, 166, 1079 152, 88, 237, 68, 145, 252, 33, 40, 237, 57, 53, 155, 215, 56, 12, 202, 22, 225, 7, 89, 1080 24, 245, 195, 164, 36, 172, 98, 26, 115, 10, 71, 27, 21, 255, 62, 212, 202, 71, 147, 1081 229, 6, 181, 19, 107, 136, 223, 239, 164, 243, 254, 101, 208, 122, 226, 150, 17, 251, 1082 218, 85, 169, 81, 177, 7, 190, 171, 230, 26, 149, 183, 181, 113, 140, 252, 212, 172, 1083 154, 200, 118, 69, 156, 108, 144, 11, 201, 135, 175, 19, 201, 116, 9, 80, 20, 19, 89, 1084 151, 198, 204, 253, 10, 155, 101, 159, 81, 190, 174, 58, 220, 250, 220, 212, 42, 111, 1085 33, 204, 114, 7, 30, 153, 73, 248, 209, 114, 36, 225, 6, 47, 106, 45, 226, 254, 175, 1086 201, 138, 254, 121, 184, 19, 143, 48, 67, 179, 99, 250, 189, 237, 58, 249, 194, 167, 1087 149, 162, 219, 27, 53, 67, 135, 193, 204, 253, 176, 245, 2, 211, 58, 176, 69, 14, 186, 1088 3, 130, 1, 5, 0, 2, 130, 1, 0, 97, 40, 15, 97, 210, 23, 118, 85, 75, 191, 251, 126, 1089 171, 47, 188, 57, 40, 41, 85, 48, 206, 169, 253, 233, 146, 161, 39, 232, 242, 19, 219, 1090 191, 172, 82, 78, 132, 153, 238, 120, 228, 99, 199, 197, 181, 74, 191, 123, 189, 80, 1091 203, 219, 50, 184, 193, 49, 160, 9, 41, 167, 133, 33, 151, 52, 196, 61, 29, 102, 233, 1092 163, 249, 121, 248, 55, 144, 215, 55, 89, 142, 137, 249, 67, 112, 167, 42, 255, 67, 56, 1093 179, 106, 187, 79, 87, 54, 118, 186, 154, 48, 150, 204, 222, 102, 135, 254, 202, 9, 1094 166, 229, 176, 130, 37, 174, 139, 240, 43, 134, 75, 141, 35, 163, 203, 71, 153, 217, 1095 71, 181, 79, 35, 114, 55, 124, 20, 55, 110, 112, 223, 109, 239, 183, 210, 141, 59, 88, 1096 47, 40, 167, 154, 90, 99, 250, 146, 29, 226, 10, 70, 103, 246, 209, 36, 174, 177, 164, 1097 244, 126, 153, 106, 156, 92, 143, 140, 46, 49, 184, 125, 160, 246, 145, 178, 94, 11, 1098 153, 128, 59, 210, 11, 210, 42, 3, 138, 136, 147, 115, 96, 190, 68, 128, 25, 47, 26, 1099 231, 183, 247, 89, 28, 67, 220, 235, 88, 4, 228, 140, 148, 10, 98, 104, 101, 60, 115, 1100 39, 219, 183, 111, 62, 93, 133, 141, 219, 252, 51, 66, 224, 115, 158, 85, 46, 13, 171, 1101 31, 5, 210, 83, 68, 61, 92, 87, 241, 1, 215, 144, 233, 243, 68, 238, 197, 62, 54, 68, 1102 163, 117, 48, 115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 153, 40, 244, 111, 22, 53, 1103 83, 33, 46, 24, 242, 81, 89, 121, 91, 97, 190, 144, 138, 150, 48, 12, 6, 3, 85, 29, 19, 1104 1, 1, 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85, 1105 29, 37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29, 1106 35, 4, 24, 48, 22, 128, 20, 230, 93, 24, 66, 42, 224, 216, 63, 210, 30, 74, 173, 48, 1107 16, 195, 8, 166, 231, 232, 253, 48, 11, 6, 9, 96, 134, 72, 1, 101, 3, 4, 3, 1, 3, 65, 1108 0, 48, 62, 2, 29, 0, 178, 65, 35, 200, 113, 88, 88, 146, 71, 230, 14, 148, 101, 161, 1109 118, 55, 125, 175, 226, 137, 63, 147, 215, 75, 207, 115, 150, 22, 2, 29, 0, 233, 44, 1110 225, 196, 27, 225, 84, 166, 253, 231, 247, 162, 41, 134, 178, 45, 218, 17, 24, 35, 120, 1111 100, 231, 84, 218, 88, 80, 255, 1112 ] 1113 .as_slice(); 1114 assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash { 1115 Hash::Sha224(ref hash) => *hash == Sha224::digest(CERT), 1116 _ => false, 1117 }),); 1118 } 1119 #[test] 1120 fn test_parse_dsa_sha1() { 1121 /// Certificate that uses DSA with SHA-1. 1122 const CERT: &[u8] = [ 1123 48, 130, 4, 157, 48, 130, 4, 77, 160, 3, 2, 1, 2, 2, 1, 35, 48, 9, 6, 7, 42, 134, 72, 1124 206, 56, 4, 3, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 16, 48, 14, 6, 1125 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 1126 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 49, 49, 57, 48, 55, 1127 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 49, 49, 57, 48, 55, 90, 48, 43, 49, 11, 48, 9, 1128 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 84, 101, 115, 1129 116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 130, 3, 66, 48, 130, 1130 2, 53, 6, 7, 42, 134, 72, 206, 56, 4, 1, 48, 130, 2, 40, 2, 130, 1, 1, 0, 172, 11, 194, 1131 123, 239, 38, 183, 160, 91, 74, 179, 251, 72, 80, 38, 223, 195, 46, 238, 2, 67, 45, 1132 138, 58, 62, 57, 85, 203, 148, 194, 164, 178, 195, 150, 29, 93, 245, 157, 225, 189, 1133 125, 209, 186, 83, 234, 14, 179, 116, 156, 216, 112, 205, 152, 26, 168, 175, 111, 106, 1134 249, 235, 49, 40, 246, 31, 152, 214, 59, 117, 64, 109, 28, 167, 222, 155, 132, 192, 1135 180, 240, 8, 80, 209, 209, 119, 53, 165, 51, 189, 18, 158, 176, 171, 45, 160, 54, 8, 1136 75, 146, 92, 245, 202, 188, 144, 36, 156, 127, 140, 220, 144, 56, 95, 38, 112, 44, 221, 1137 159, 9, 159, 189, 153, 150, 88, 84, 73, 138, 6, 73, 141, 17, 28, 110, 159, 141, 21, 1138 232, 13, 90, 130, 251, 177, 168, 242, 201, 222, 138, 182, 233, 142, 229, 24, 47, 186, 1139 56, 245, 177, 250, 253, 2, 11, 115, 29, 6, 156, 168, 117, 22, 15, 152, 183, 137, 25, 1140 188, 24, 22, 120, 195, 17, 97, 16, 85, 234, 95, 53, 156, 244, 146, 53, 183, 235, 71, 1141 24, 163, 139, 70, 227, 235, 154, 229, 210, 144, 81, 231, 161, 120, 117, 182, 245, 175, 1142 25, 252, 21, 153, 130, 211, 180, 209, 164, 34, 248, 167, 8, 98, 181, 69, 52, 74, 120, 1143 227, 165, 16, 172, 42, 107, 248, 42, 225, 46, 80, 11, 117, 92, 225, 27, 86, 4, 226, 29, 1144 85, 105, 208, 193, 120, 112, 39, 226, 20, 141, 2, 29, 0, 186, 229, 13, 141, 5, 89, 173, 1145 164, 148, 130, 205, 229, 23, 44, 125, 234, 49, 240, 196, 213, 6, 31, 233, 8, 99, 80, 1146 166, 239, 2, 130, 1, 0, 106, 152, 3, 177, 77, 235, 201, 25, 36, 150, 146, 246, 50, 67, 1147 97, 96, 245, 207, 14, 200, 60, 16, 229, 114, 211, 111, 193, 226, 252, 153, 176, 159, 1148 198, 41, 133, 157, 197, 38, 112, 217, 9, 205, 13, 85, 170, 94, 89, 60, 214, 117, 182, 1149 163, 81, 138, 122, 250, 48, 98, 43, 60, 186, 203, 147, 60, 74, 110, 89, 216, 73, 4, 1150 191, 1, 158, 174, 98, 201, 184, 25, 162, 239, 244, 139, 154, 173, 108, 135, 124, 166, 1151 152, 88, 237, 68, 145, 252, 33, 40, 237, 57, 53, 155, 215, 56, 12, 202, 22, 225, 7, 89, 1152 24, 245, 195, 164, 36, 172, 98, 26, 115, 10, 71, 27, 21, 255, 62, 212, 202, 71, 147, 1153 229, 6, 181, 19, 107, 136, 223, 239, 164, 243, 254, 101, 208, 122, 226, 150, 17, 251, 1154 218, 85, 169, 81, 177, 7, 190, 171, 230, 26, 149, 183, 181, 113, 140, 252, 212, 172, 1155 154, 200, 118, 69, 156, 108, 144, 11, 201, 135, 175, 19, 201, 116, 9, 80, 20, 19, 89, 1156 151, 198, 204, 253, 10, 155, 101, 159, 81, 190, 174, 58, 220, 250, 220, 212, 42, 111, 1157 33, 204, 114, 7, 30, 153, 73, 248, 209, 114, 36, 225, 6, 47, 106, 45, 226, 254, 175, 1158 201, 138, 254, 121, 184, 19, 143, 48, 67, 179, 99, 250, 189, 237, 58, 249, 194, 167, 1159 149, 162, 219, 27, 53, 67, 135, 193, 204, 253, 176, 245, 2, 211, 58, 176, 69, 14, 186, 1160 3, 130, 1, 5, 0, 2, 130, 1, 0, 97, 40, 15, 97, 210, 23, 118, 85, 75, 191, 251, 126, 1161 171, 47, 188, 57, 40, 41, 85, 48, 206, 169, 253, 233, 146, 161, 39, 232, 242, 19, 219, 1162 191, 172, 82, 78, 132, 153, 238, 120, 228, 99, 199, 197, 181, 74, 191, 123, 189, 80, 1163 203, 219, 50, 184, 193, 49, 160, 9, 41, 167, 133, 33, 151, 52, 196, 61, 29, 102, 233, 1164 163, 249, 121, 248, 55, 144, 215, 55, 89, 142, 137, 249, 67, 112, 167, 42, 255, 67, 56, 1165 179, 106, 187, 79, 87, 54, 118, 186, 154, 48, 150, 204, 222, 102, 135, 254, 202, 9, 1166 166, 229, 176, 130, 37, 174, 139, 240, 43, 134, 75, 141, 35, 163, 203, 71, 153, 217, 1167 71, 181, 79, 35, 114, 55, 124, 20, 55, 110, 112, 223, 109, 239, 183, 210, 141, 59, 88, 1168 47, 40, 167, 154, 90, 99, 250, 146, 29, 226, 10, 70, 103, 246, 209, 36, 174, 177, 164, 1169 244, 126, 153, 106, 156, 92, 143, 140, 46, 49, 184, 125, 160, 246, 145, 178, 94, 11, 1170 153, 128, 59, 210, 11, 210, 42, 3, 138, 136, 147, 115, 96, 190, 68, 128, 25, 47, 26, 1171 231, 183, 247, 89, 28, 67, 220, 235, 88, 4, 228, 140, 148, 10, 98, 104, 101, 60, 115, 1172 39, 219, 183, 111, 62, 93, 133, 141, 219, 252, 51, 66, 224, 115, 158, 85, 46, 13, 171, 1173 31, 5, 210, 83, 68, 61, 92, 87, 241, 1, 215, 144, 233, 243, 68, 238, 197, 62, 54, 68, 1174 163, 117, 48, 115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 153, 40, 244, 111, 22, 53, 1175 83, 33, 46, 24, 242, 81, 89, 121, 91, 97, 190, 144, 138, 150, 48, 12, 6, 3, 85, 29, 19, 1176 1, 1, 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85, 1177 29, 37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29, 1178 35, 4, 24, 48, 22, 128, 20, 230, 93, 24, 66, 42, 224, 216, 63, 210, 30, 74, 173, 48, 1179 16, 195, 8, 166, 231, 232, 253, 48, 9, 6, 7, 42, 134, 72, 206, 56, 4, 3, 3, 63, 0, 48, 1180 60, 2, 28, 50, 39, 36, 45, 25, 91, 93, 174, 107, 192, 215, 113, 214, 88, 122, 108, 97, 1181 82, 121, 182, 191, 182, 66, 173, 207, 255, 17, 86, 2, 28, 28, 133, 69, 48, 198, 204, 1182 39, 177, 136, 73, 222, 95, 114, 218, 219, 54, 88, 17, 114, 204, 214, 83, 20, 137, 75, 1183 203, 163, 99, 1184 ] 1185 .as_slice(); 1186 assert!(Hash::from_der_cert(CERT).map_or(false, |hash| match hash { 1187 Hash::Sha256(ref hash) => *hash == Sha256::digest(CERT), 1188 _ => false, 1189 }),); 1190 } 1191 #[cfg(feature = "runtime")] 1192 #[derive(Debug)] 1193 enum E { 1194 #[expect(dead_code, reason = "does not matter for tests")] 1195 Io(Error), 1196 #[expect(dead_code, reason = "does not matter for tests")] 1197 Rustls(rustls::Error), 1198 #[expect(dead_code, reason = "does not matter for tests")] 1199 Postgres(tokio_postgres::Error), 1200 NoRootCert, 1201 MultipleRootCerts, 1202 NoClientKey, 1203 MultipleClientKeys, 1204 #[expect(dead_code, reason = "does not matter for tests")] 1205 RustlsPem(PemErr), 1206 } 1207 #[cfg(feature = "runtime")] 1208 impl From<Error> for E { 1209 fn from(value: Error) -> Self { 1210 Self::Io(value) 1211 } 1212 } 1213 #[cfg(feature = "runtime")] 1214 impl From<rustls::Error> for E { 1215 fn from(value: rustls::Error) -> Self { 1216 Self::Rustls(value) 1217 } 1218 } 1219 #[cfg(feature = "runtime")] 1220 impl From<tokio_postgres::Error> for E { 1221 fn from(value: tokio_postgres::Error) -> Self { 1222 Self::Postgres(value) 1223 } 1224 } 1225 #[cfg(feature = "runtime")] 1226 impl From<PemErr> for E { 1227 fn from(value: PemErr) -> Self { 1228 Self::RustlsPem(value) 1229 } 1230 } 1231 #[cfg(feature = "runtime")] 1232 #[ignore] 1233 #[test] 1234 fn test_mutual_tls() -> Result<(), E> { 1235 let root_cert_file = fs::read("test_data/ca.crt.pem")?; 1236 let mut cert_iter = CertificateDer::pem_slice_iter(root_cert_file.as_slice()); 1237 let key_file = fs::read("test_data/client.key.pem")?; 1238 let mut key_iter = PrivateKeyDer::pem_slice_iter(key_file.as_slice()); 1239 let mut conf = ClientConfig::builder_with_protocol_versions([&TLS13].as_slice()) 1240 .with_root_certificates(cert_iter.next().ok_or_else(|| E::NoRootCert).and_then( 1241 |cert_res| { 1242 cert_res.map_err(E::RustlsPem).and_then(|cert| { 1243 cert_iter.next().map_or_else( 1244 || { 1245 let mut root_store = RootCertStore::empty(); 1246 root_store.add(cert).map_err(E::Rustls).map(|()| root_store) 1247 }, 1248 |_| Err(E::MultipleRootCerts), 1249 ) 1250 }) 1251 }, 1252 )?) 1253 .with_client_auth_cert( 1254 CertificateDer::pem_slice_iter(fs::read("test_data/client.crt.pem")?.as_slice()) 1255 .try_fold(Vec::with_capacity(1), |mut certs, res| { 1256 res.map(|cert| { 1257 certs.push(cert); 1258 certs 1259 }) 1260 })?, 1261 key_iter 1262 .next() 1263 .ok_or_else(|| E::NoClientKey) 1264 .and_then(|key_res| { 1265 key_res.map_err(E::RustlsPem).and_then(|key| { 1266 key_iter 1267 .next() 1268 .map_or_else(|| Ok(key), |_| Err(E::MultipleClientKeys)) 1269 }) 1270 })?, 1271 )?; 1272 super::set_postgresql_alpn(&mut conf); 1273 let mut config = Config::new(); 1274 let connection = config 1275 .application_name("test") 1276 .channel_binding(ChannelBinding::Disable) 1277 .connect_timeout(Duration::from_secs(4)) 1278 .dbname(fs::read_to_string("test_data/dbname")?.trim_ascii_end()) 1279 .host(fs::read_to_string("test_data/host")?.trim_ascii_end()) 1280 .hostaddr(IpAddr::V6(Ipv6Addr::LOCALHOST)) 1281 .keepalives(false) 1282 .load_balance_hosts(LoadBalanceHosts::Disable) 1283 .port(5432) 1284 .ssl_mode(SslMode::Require) 1285 .target_session_attrs(TargetSessionAttrs::Any) 1286 .user(fs::read_to_string("test_data/user")?.trim_ascii_end()) 1287 .connect(MakeTlsConnector::new(Arc::new(conf).into())); 1288 Builder::new_current_thread() 1289 .enable_all() 1290 .build()? 1291 .block_on(async move { connection.await.map_err(E::Postgres).map(|_| ()) }) 1292 } 1293 #[cfg(feature = "runtime")] 1294 #[ignore] 1295 #[test] 1296 fn test_password_and_channel_binding() -> Result<(), E> { 1297 let root_cert_file = fs::read("test_data/ca.crt.pem")?; 1298 let mut cert_iter = CertificateDer::pem_slice_iter(root_cert_file.as_slice()); 1299 let mut conf = ClientConfig::builder_with_protocol_versions([&TLS13].as_slice()) 1300 .with_root_certificates(cert_iter.next().ok_or_else(|| E::NoRootCert).and_then( 1301 |cert_res| { 1302 cert_res.map_err(E::RustlsPem).and_then(|cert| { 1303 cert_iter.next().map_or_else( 1304 || { 1305 let mut root_store = RootCertStore::empty(); 1306 root_store.add(cert).map_err(E::Rustls).map(|()| root_store) 1307 }, 1308 |_| Err(E::MultipleRootCerts), 1309 ) 1310 }) 1311 }, 1312 )?) 1313 .with_no_client_auth(); 1314 super::set_postgresql_alpn(&mut conf); 1315 let mut config = Config::new(); 1316 let connection = config 1317 .application_name("test") 1318 .channel_binding(ChannelBinding::Require) 1319 .connect_timeout(Duration::from_secs(4)) 1320 .dbname(fs::read_to_string("test_data/dbname")?.trim_ascii_end()) 1321 .host(fs::read_to_string("test_data/host")?.trim_ascii_end()) 1322 .hostaddr(IpAddr::V6(Ipv6Addr::LOCALHOST)) 1323 .keepalives(false) 1324 .load_balance_hosts(LoadBalanceHosts::Disable) 1325 .password(fs::read("test_data/password")?.trim_ascii_end()) 1326 .port(5432) 1327 .ssl_mode(SslMode::Require) 1328 .target_session_attrs(TargetSessionAttrs::Any) 1329 .user(fs::read_to_string("test_data/user")?.trim_ascii_end()) 1330 .connect(MakeTlsConnector::new(Arc::new(conf).into())); 1331 Builder::new_current_thread() 1332 .enable_all() 1333 .build()? 1334 .block_on(async move { connection.await.map_err(E::Postgres).map(|_| ()) }) 1335 } 1336 }