lib.rs (89232B)
1 //! [![git]](https://git.philomathiclife.com/postgres_rustls/log.html) [![crates-io]](https://crates.io/crates/postgres_rustls) [![docs-rs]](crate) 2 //! 3 //! [git]: https://git.philomathiclife.com/git_badge.svg 4 //! [crates-io]: https://img.shields.io/badge/crates.io-fc8d62?style=for-the-badge&labelColor=555555&logo=rust 5 //! [docs-rs]: https://img.shields.io/badge/docs.rs-66c2a5?style=for-the-badge&labelColor=555555&logo=docs.rs 6 //! 7 //! `postgres_rustls` is a library that adds TLS support to [`tokio_postgres`] using [`tokio_rustls`]. 8 #![cfg_attr(docsrs, feature(doc_cfg))] 9 #![expect( 10 clippy::multiple_crate_versions, 11 reason = "dependencies haven't updated to newest crates" 12 )] 13 #![expect( 14 clippy::doc_paragraphs_missing_punctuation, 15 reason = "false positive for crate documentation having image links" 16 )] 17 use core::{ 18 pin::Pin, 19 task::{Context, Poll}, 20 }; 21 use sha2::{ 22 Sha224, Sha256, Sha384, Sha512, 23 digest::{Digest as _, OutputSizeUser, generic_array::GenericArray}, 24 }; 25 use std::io::{self, IoSlice}; 26 use tokio::io::{AsyncRead, AsyncWrite, ReadBuf}; 27 #[cfg(feature = "runtime")] 28 use tokio_postgres::tls::MakeTlsConnect; 29 use tokio_postgres::tls::{ChannelBinding, TlsConnect as PgTlsConnect, TlsStream as PgTlsStream}; 30 use tokio_rustls::{ 31 Connect, 32 client::TlsStream as RustlsStream, 33 rustls::{ 34 ClientConfig, 35 pki_types::{InvalidDnsNameError, ServerName}, 36 }, 37 }; 38 /// Hash for the leaf certificate provided by the PostgreSQL server. 39 #[expect(clippy::doc_markdown, reason = "PostgreSQL is correct")] 40 enum Hash { 41 /// SHA-256 hash. 42 Sha256(GenericArray<u8, <Sha256 as OutputSizeUser>::OutputSize>), 43 /// SHA-384 hash. 44 Sha384(GenericArray<u8, <Sha384 as OutputSizeUser>::OutputSize>), 45 /// SHA-512 hash. 46 Sha512(GenericArray<u8, <Sha512 as OutputSizeUser>::OutputSize>), 47 /// SHA-224 hash. 48 Sha224(GenericArray<u8, <Sha224 as OutputSizeUser>::OutputSize>), 49 } 50 impl From<Hash> for Vec<u8> { 51 #[inline] 52 fn from(value: Hash) -> Self { 53 match value { 54 Hash::Sha256(hash) => hash.to_vec(), 55 Hash::Sha384(hash) => hash.to_vec(), 56 Hash::Sha512(hash) => hash.to_vec(), 57 Hash::Sha224(hash) => hash.to_vec(), 58 } 59 } 60 } 61 impl Hash { 62 /// Parses `cert` as a DER-encoded X.509 v3 certifcate extracting the signature algorithm and using it to hash 63 /// `cert` (based on the underlying hash algorithm of the signature algorithm). 64 /// 65 /// Note this will return `Some` for certain invalid payloads; however when the payload is a valid 66 /// DER-encoded X.509 v3 certificate, then it is guaranteed to produce the correct hash. The idea is that 67 /// in the event the leaf certificate is invalid, then it will be rejected by `rustls` anyway thus what 68 /// this returns won't matter. We do this for simplicity and performance reasons since it allows us to 69 /// avoid parsing the entire certificate and instead _only_ care about the signature algorithm. 70 /// 71 /// The only signature algorithms supported are the following: 72 /// 73 /// * id-Ed25519 74 /// * ecdsa-with-SHA256 75 /// * sha256WithRSAEncryption 76 /// * ecdsa-with-SHA384 77 /// * sha384WithRSAEncryption 78 /// * ecdsa-with-SHA512 79 /// * sha512WithRSAEncryption 80 /// * ecdsa-with-SHA224 81 /// * sha224WithRSAEncryption 82 /// * dsa-with-SHA256 83 /// * dsa-with-SHA224 84 /// * dsa-with-SHA1 85 /// * sha1WithRSAEncryption 86 /// 87 /// More may be added; but for ones that require additional dependencies, they will be hidden behind a feature. 88 /// Additionally new ones must be supported by PostgreSQL, `tokio-postgres`, and `rustls`. 89 // 90 // [RFC 5280 § 4.1](https://www.rfc-editor.org/rfc/rfc5280#section-4.1) describes the ASN.1 format 91 // of an X.509 v3 Certificate: 92 // 93 // ```asn 94 // Certificate ::= SEQUENCE { 95 // tbsCertificate TBSCertificate, 96 // signatureAlgorithm AlgorithmIdentifier, 97 // signatureValue BIT STRING } 98 // 99 // TBSCertificate ::= SEQUENCE { … } 100 // 101 // AlgorithmIdentifier ::= SEQUENCE { 102 // algorithm OBJECT IDENTIFIER, 103 // parameters ANY DEFINED BY algorithm OPTIONAL } 104 // ``` 105 // 106 // [ITU-T X.690](https://www.itu.int/rec/T-REC-X.690-202102-I/en) 107 // describes how DER-encoding works. 108 #[expect( 109 clippy::arithmetic_side_effects, 110 clippy::big_endian_bytes, 111 clippy::indexing_slicing, 112 reason = "comments justify their correctness" 113 )] 114 #[expect(clippy::too_many_lines, reason = "inflated by the const slices")] 115 #[expect(clippy::doc_markdown, reason = "PostgreSQL is correct")] 116 fn from_der_cert(cert: &[u8]) -> Option<Self> { 117 /// [RFC 8410 § 9](https://www.rfc-editor.org/rfc/rfc8410#section-9) 118 /// defines id-Ed25519 as 1.3.101.112. This is encoded as below per X.690 § 8.19. 119 const ED25519: &[u8] = [43, 101, 112].as_slice(); 120 /// [RFC 5912 § 6](https://www.rfc-editor.org/rfc/rfc5912.html#section-6) 121 /// defines ecdsa-with-SHA256 as 1.2.840.10045.4.3.2. This is encoded as 122 /// below per X.690 § 8.19. 123 const ECDSA_SHA256: &[u8] = [42, 134, 72, 206, 61, 4, 3, 2].as_slice(); 124 /// [RFC 8017 § Appendix C](https://www.rfc-editor.org/rfc/rfc8017#appendix-C) 125 /// defines sha256WithRSAEncryption as 1.2.840.113549.1.1.11. This is encoded as 126 /// below per X.690 § 8.19. 127 const RSA_SHA256: &[u8] = [42, 134, 72, 134, 247, 13, 1, 1, 11].as_slice(); 128 /// [RFC 5912 § 6](https://www.rfc-editor.org/rfc/rfc5912.html#section-6) 129 /// defines dsa-with-SHA256 as 2.16.840.1.101.3.4.3.2. This is encoded as 130 /// below per X.690 § 8.19. 131 const DSA_SHA256: &[u8] = [96, 134, 72, 1, 101, 3, 4, 3, 2].as_slice(); 132 /// [RFC 5912 § 6](https://www.rfc-editor.org/rfc/rfc5912.html#section-6) 133 /// defines dsa-with-SHA1 as 1.2.840.10040.4.3. This is encoded as 134 /// below per X.690 § 8.19. 135 const DSA_SHA1: &[u8] = [42, 134, 72, 206, 56, 4, 3].as_slice(); 136 /// [RFC 8017 § Appendix C](https://www.rfc-editor.org/rfc/rfc8017#appendix-C) 137 /// defines sha1WithRSAEncryption as 1.2.840.113549.1.1.5. This is encoded as 138 /// below per X.690 § 8.19. 139 const RSA_SHA1: &[u8] = [42, 134, 72, 134, 247, 13, 1, 1, 5].as_slice(); 140 /// [RFC 5912 § 6](https://www.rfc-editor.org/rfc/rfc5912.html#section-6) 141 /// defines ecdsa-with-SHA384 as 1.2.840.10045.4.3.3. This is encoded as 142 /// below per X.690 § 8.19. 143 const ECDSA_SHA384: &[u8] = [42, 134, 72, 206, 61, 4, 3, 3].as_slice(); 144 /// [RFC 8017 § Appendix C](https://www.rfc-editor.org/rfc/rfc8017#appendix-C) 145 /// defines sha384WithRSAEncryption as 1.2.840.113549.1.1.12. This is encoded as 146 /// below per X.690 § 8.19. 147 const RSA_SHA384: &[u8] = [42, 134, 72, 134, 247, 13, 1, 1, 12].as_slice(); 148 /// [RFC 5912 § 6](https://www.rfc-editor.org/rfc/rfc5912.html#section-6) 149 /// defines ecdsa-with-SHA512 as 1.2.840.10045.4.3.4. This is encoded as 150 /// below per X.690 § 8.19. 151 const ECDSA_SHA512: &[u8] = [42, 134, 72, 206, 61, 4, 3, 4].as_slice(); 152 /// [RFC 8017 § Appendix C](https://www.rfc-editor.org/rfc/rfc8017#appendix-C) 153 /// defines sha512WithRSAEncryption as 1.2.840.113549.1.1.13. This is encoded as 154 /// below per X.690 § 8.19. 155 const RSA_SHA512: &[u8] = [42, 134, 72, 134, 247, 13, 1, 1, 13].as_slice(); 156 /// [RFC 5912 § 6](https://www.rfc-editor.org/rfc/rfc5912.html#section-6) 157 /// defines ecdsa-with-SHA224 as 1.2.840.10045.4.3.1. This is encoded as 158 /// below per X.690 § 8.19. 159 const ECDSA_SHA224: &[u8] = [42, 134, 72, 206, 61, 4, 3, 1].as_slice(); 160 /// [RFC 8017 § Appendix C](https://www.rfc-editor.org/rfc/rfc8017#appendix-C) 161 /// defines sha224WithRSAEncryption as 1.2.840.113549.1.1.14. This is encoded as 162 /// below per X.690 § 8.19. 163 const RSA_SHA224: &[u8] = [42, 134, 72, 134, 247, 13, 1, 1, 14].as_slice(); 164 /// [RFC 5912 § 6](https://www.rfc-editor.org/rfc/rfc5912.html#section-6) 165 /// defines dsa-with-SHA224 as 2.16.840.1.101.3.4.3.1. This is encoded as 166 /// below per X.690 § 8.19. 167 const DSA_SHA224: &[u8] = [96, 134, 72, 1, 101, 3, 4, 3, 1].as_slice(); 168 // The first octet represents a constructed sequence (i.e., 0x30) and the second octet represents 169 // the (possibly encoded) length of the remaining payload. 170 cert.split_at_checked(2).and_then(|(cert_seq, cert_rem)| { 171 // This won't `panic` since `cert_seq.len() == 2`. 172 // This represents the (possibly encoded) length. 173 // 174 // We don't care about the actual length of the payload. We only care about the number of bytes 175 // we need to skip until the (possibly encoded) length of the constructed sequence of 176 // tbsCertificate. 177 match cert_seq[1] { 178 // The length of the payload is represented with this byte; thus we only need to skip 179 // the constructed sequence byte (i.e., 0x30) of tbsCertificate. 180 ..=127 => Some(1), 181 // The length of the payload is invalid since DER-encoded lengths must use the minimum 182 // number of bytes possible. The high bit is set iff one or more octets are needed to encode 183 // the actual length. The number of octets is represented by the remaining bits; thus this 184 // means there are 0 bytes to encode the length, but then it should have been encoded as 185 // `0` and not `128`. 186 // 187 // 255 is not allowed to be used per § 8.1.3.5. 188 128 | 255 => None, 189 // The remaining bits represent the number of bytes that it takes to encode the length; 190 // thus we subtract 128 and add 1 to account for the constructed sequence byte (i.e., 0x30) 191 // of tbsCertificate. This is the same as just subtracting 127. 192 // 193 // Underflow clearly cannot occur since `len` is at least 129. 194 len @ 129.. => Some(usize::from(len) - 127), 195 } 196 .and_then(|skip| { 197 cert_rem.get(skip..).and_then(|tbs_rem_with_len| { 198 // Remaining payload starting from the (possibly encoded) length of tbsCertificate. 199 tbs_rem_with_len 200 // Extract the (possibly encoded) length of tbsCertificate. 201 .split_first() 202 .and_then(|(tbs_enc_len, tbs_rem)| { 203 // We need to extract how many bytes make up tbsCertificate that way 204 // we can skip it and get to the (possibly encoded) length of 205 // signatureAlgorithm. 206 match *tbs_enc_len { 207 // tbsCertificate is encoded in `len` bytes. We need to skip that many 208 // bytes taking into account the constructed sequence byte (i.e., 0x30) 209 // of signatureAlgorithm. 210 // 211 // This won't overflow since `len` is at most 127; thus this maxes at 128 212 // which is <= `usize::MAX`. 213 len @ ..=127 => Some(usize::from(len) + 1), 214 // The number of bytes tbsCertificate is encoded in takes 1 byte to encode 215 // We get that one byte since that is how many bytes we need to skip taking 216 // into account the byte and the constructed sequence byte (i.e., 0x30) of 217 // signatureAlgorithm. 218 // 219 // This won't overflow since this maxes at 255 + 2 = 257 <= usize::MAX. 220 129 => tbs_rem.first().map(|len| usize::from(*len) + 2), 221 // The number of bytes tbsCertificate is encoded in takes 2 bytes to encode. 222 // We get the two bytes since that is how many bytes we need to skip. 223 130 => tbs_rem.get(..2).and_then(|enc_len| { 224 let mut big_endian_len = [0; 2]; 225 // This won't `panic` since `enc_len.len() == 2`. 226 big_endian_len.copy_from_slice(enc_len); 227 // Multi-byte lengths are encoded in big-endian. 228 u16::from_be_bytes(big_endian_len) 229 // We need to account for the two bytes and the constructed sequence byte 230 // (i.e., 0x30) of signatureAlgorithm. 231 .checked_add(3) 232 // We don't support payloads larger than 65,535 since that is more than 233 // enough for a single certificate. 234 .map(usize::from) 235 }), 236 // We arbitrarily cap the size of payloads we accept to simplify decoding. 237 // If this is more than 130, then the payload is at least 16,777,216 bytes 238 // which is obscenely large for a single certificate. 128 is invalid. 239 _ => None, 240 } 241 .and_then(|tbs_len| { 242 tbs_rem.get(tbs_len..).and_then(|alg_rem_with_len| { 243 // Remaining payload starting from the (possibly encoded) length of 244 // signatureAlgorithm. 245 alg_rem_with_len 246 // Extract the (possibly encoded) length of signatureAlgorithm. 247 .split_first() 248 .and_then(|(alg_enc_len, alg_rem)| { 249 // We need to extract how many bytes make up signatureAlgorithm that way 250 // we can skip it and get to the (possibly encoded) length of algorithm. 251 match *alg_enc_len { 252 // The length of the payload is represented with this byte; thus we 253 // only need to skip the object identifier byte (i.e., 0x06) of 254 // algorithm. 255 ..=127 => Some(1), 256 // The length of the payload is invalid. 257 128 | 255 => None, 258 // The remaining bits represents the number of bytes that it takes to 259 // encode the length; thus we subtract 128 and add 1 to account for 260 // the object identifier byte (i.e., 0x06) of algorithm. 261 // This is the same as just subtracting 127. 262 // 263 // Underflow clearly cannot occur since `len` is at least 129. 264 len @ 129.. => Some(usize::from(len) - 127), 265 } 266 .and_then( 267 |alg_skip| { 268 alg_rem.get(alg_skip..).and_then(|oid_rem| { 269 // Remaining payload starting from the (possibly encoded) 270 // length of algorithm, and we extract the 271 // (possibly encoded) length of algorithm. 272 oid_rem.split_first().and_then( 273 |(oid_enc_len, rem)| { 274 // Extract the algorithm. 275 // Recall we don't care if the certificate is 276 // invalid, and we only support algorithms of 277 // length at most 127. As a result, we treat 278 // `oid_enc_len` as is. 279 rem.get(..usize::from(*oid_enc_len)) 280 .and_then(|oid| match oid { 281 ED25519 | ECDSA_SHA256 282 | RSA_SHA256 | DSA_SHA256 283 // [RFC 5929 § 4.1](https://www.rfc-editor.org/rfc/rfc5929#section-4.1) 284 // mandates that SHA-1 based signatures 285 // use SHA-256. 286 | DSA_SHA1 | RSA_SHA1 => { 287 Some(Self::Sha256( 288 Sha256::digest( 289 cert, 290 ), 291 )) 292 } 293 ECDSA_SHA384 294 | RSA_SHA384 => { 295 Some(Self::Sha384( 296 Sha384::digest( 297 cert, 298 ), 299 )) 300 } 301 ECDSA_SHA512 302 | RSA_SHA512 => { 303 Some(Self::Sha512( 304 Sha512::digest( 305 cert, 306 ), 307 )) 308 } 309 ECDSA_SHA224 310 | RSA_SHA224 311 | DSA_SHA224 => { 312 Some(Self::Sha224( 313 Sha224::digest( 314 cert, 315 ), 316 )) 317 } 318 _ => None, 319 }) 320 }, 321 ) 322 }) 323 }, 324 ) 325 }) 326 }) 327 }) 328 }) 329 }) 330 }) 331 }) 332 } 333 } 334 /// The [`TlsConnector::Stream`] returned from [`TlsConnectorFuture::poll`]. 335 #[derive(Debug)] 336 pub struct TlsStream<S>(RustlsStream<S>); 337 impl<S: AsyncRead + AsyncWrite + Unpin> AsyncRead for TlsStream<S> { 338 #[inline] 339 fn poll_read( 340 mut self: Pin<&mut Self>, 341 cx: &mut Context<'_>, 342 buf: &mut ReadBuf<'_>, 343 ) -> Poll<io::Result<()>> { 344 Pin::new(&mut self.0).poll_read(cx, buf) 345 } 346 } 347 impl<S: AsyncRead + AsyncWrite + Unpin> AsyncWrite for TlsStream<S> { 348 #[inline] 349 fn poll_write( 350 mut self: Pin<&mut Self>, 351 cx: &mut Context<'_>, 352 buf: &[u8], 353 ) -> Poll<Result<usize, io::Error>> { 354 Pin::new(&mut self.0).poll_write(cx, buf) 355 } 356 #[inline] 357 fn poll_flush(mut self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<Result<(), io::Error>> { 358 Pin::new(&mut self.0).poll_flush(cx) 359 } 360 #[inline] 361 fn poll_shutdown( 362 mut self: Pin<&mut Self>, 363 cx: &mut Context<'_>, 364 ) -> Poll<Result<(), io::Error>> { 365 Pin::new(&mut self.0).poll_shutdown(cx) 366 } 367 #[inline] 368 fn poll_write_vectored( 369 mut self: Pin<&mut Self>, 370 cx: &mut Context<'_>, 371 bufs: &[IoSlice<'_>], 372 ) -> Poll<Result<usize, io::Error>> { 373 Pin::new(&mut self.0).poll_write_vectored(cx, bufs) 374 } 375 #[inline] 376 fn is_write_vectored(&self) -> bool { 377 self.0.is_write_vectored() 378 } 379 } 380 impl<S: AsyncRead + AsyncWrite + Unpin> PgTlsStream for TlsStream<S> { 381 /// Returns the [`ChannelBinding`] based on the X.509 v3 certificate sent from the PostgreSQL server. 382 /// 383 /// Note when this returns [`ChannelBinding::tls_server_end_point`], it _does not_ mean the certificate 384 /// is valid. In certain circumstances, this will return that even for an invalid certificate. This should 385 /// not matter since the certificate being invalid will cause the certificate to be rejected anyway. When 386 /// the certificate is valid and uses a supported signature algorithm, then this will always return the 387 /// correct value. 388 /// 389 /// The only supported signature algorithms are the following: 390 /// 391 /// * id-Ed25519 392 /// * ecdsa-with-SHA256 393 /// * sha256WithRSAEncryption 394 /// * ecdsa-with-SHA384 395 /// * sha384WithRSAEncryption 396 /// * ecdsa-with-SHA512 397 /// * sha512WithRSAEncryption 398 /// * ecdsa-with-SHA224 399 /// * sha224WithRSAEncryption 400 /// * dsa-with-SHA256 401 /// * dsa-with-SHA224 402 /// * dsa-with-SHA1 403 /// * sha1WithRSAEncryption 404 /// 405 /// Note it is strongly recommended that TLS 1.3 be used; thus while signature algorithms that are not 406 /// part of TLS 1.3 are supported, you should avoid them. 407 /// See [RFC 9266 § 4.2](https://www.rfc-editor.org/rfc/rfc9266#section-4.2). 408 /// Additionally some of the supported signature algorithms may not be supported by PostgreSQL 409 /// (e.g., id-Ed25519). 410 #[expect(clippy::doc_markdown, reason = "PostgreSQL is correct")] 411 #[inline] 412 fn channel_binding(&self) -> ChannelBinding { 413 self.0 414 .get_ref() 415 .1 416 .peer_certificates() 417 .and_then(|certs| { 418 certs.first().and_then(|fst| { 419 Hash::from_der_cert(fst) 420 .map(|hash| ChannelBinding::tls_server_end_point(hash.into())) 421 }) 422 }) 423 .unwrap_or_else(ChannelBinding::none) 424 } 425 } 426 /// [`TlsConnector::Future`] returned from [`TlsConnector::connect`]. 427 #[expect( 428 missing_debug_implementations, 429 reason = "Connect does not implement Debug, so we don't" 430 )] 431 pub struct TlsConnectorFuture<S>(Connect<S>); 432 impl<S: AsyncRead + AsyncWrite + Unpin> Future for TlsConnectorFuture<S> { 433 type Output = io::Result<TlsStream<S>>; 434 #[inline] 435 fn poll(mut self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<Self::Output> { 436 Pin::new(&mut self.0).poll(cx).map_ok(TlsStream) 437 } 438 } 439 /// Connects to the PostgreSQL server. 440 #[expect( 441 missing_debug_implementations, 442 reason = "TlsConnector does not implement Debug, so we don't" 443 )] 444 #[expect(clippy::doc_markdown, reason = "PostgreSQL is correct")] 445 pub struct TlsConnector<'domain> { 446 /// Used to connect to the PostgreSQL server. 447 #[expect(clippy::doc_markdown, reason = "PostgreSQL is correct")] 448 connector: tokio_rustls::TlsConnector, 449 /// The domain or IP of the PostgreSQL server. 450 #[expect(clippy::doc_markdown, reason = "PostgreSQL is correct")] 451 dom: ServerName<'domain>, 452 } 453 impl<'domain> TlsConnector<'domain> { 454 /// Returns `Self` based on `connector` and `domain`. 455 /// 456 /// # Errors 457 /// 458 /// Errors iff [`ServerName::try_from`] does when passed `domain`. 459 #[expect(single_use_lifetimes, reason = "false positive")] 460 #[inline] 461 pub fn new<'dom: 'domain>( 462 connector: tokio_rustls::TlsConnector, 463 domain: &'dom str, 464 ) -> Result<Self, InvalidDnsNameError> { 465 ServerName::try_from(domain).map(|dom| Self { connector, dom }) 466 } 467 } 468 impl<S: AsyncRead + AsyncWrite + Unpin> PgTlsConnect<S> for TlsConnector<'static> { 469 type Stream = TlsStream<S>; 470 type Error = io::Error; 471 type Future = TlsConnectorFuture<S>; 472 #[inline] 473 fn connect(self, stream: S) -> Self::Future { 474 TlsConnectorFuture(self.connector.connect(self.dom, stream)) 475 } 476 } 477 /// [`MakeTlsConnect`] based on [`tokio_rustls::TlsConnector`]. 478 #[expect( 479 missing_debug_implementations, 480 reason = "TlsConnector does not implement Debug, so we don't" 481 )] 482 #[cfg(feature = "runtime")] 483 #[derive(Clone)] 484 pub struct MakeTlsConnector(tokio_rustls::TlsConnector); 485 #[cfg(feature = "runtime")] 486 impl MakeTlsConnector { 487 /// Constructs `Self` based on `connector`. 488 #[inline] 489 #[must_use] 490 pub const fn new(connector: tokio_rustls::TlsConnector) -> Self { 491 Self(connector) 492 } 493 } 494 #[cfg(feature = "runtime")] 495 impl<S: AsyncRead + AsyncWrite + Unpin> MakeTlsConnect<S> for MakeTlsConnector { 496 type Stream = TlsStream<S>; 497 type TlsConnect = TlsConnector<'static>; 498 type Error = InvalidDnsNameError; 499 #[inline] 500 fn make_tls_connect(&mut self, domain: &str) -> Result<Self::TlsConnect, Self::Error> { 501 ServerName::try_from(domain).map(|dom| TlsConnector { 502 connector: self.0.clone(), 503 dom: dom.to_owned(), 504 }) 505 } 506 } 507 /// Removes any ALPN values and adds the `b"postgresql"` ALPN. 508 #[inline] 509 pub fn set_postgresql_alpn(config: &mut ClientConfig) { 510 config.alpn_protocols.clear(); 511 config.alpn_protocols.push(vec![ 512 b'p', b'o', b's', b't', b'g', b'r', b'e', b's', b'q', b'l', 513 ]); 514 } 515 #[cfg(test)] 516 mod tests { 517 #[cfg(feature = "runtime")] 518 extern crate alloc; 519 use super::Hash; 520 #[cfg(feature = "runtime")] 521 use super::MakeTlsConnector; 522 #[cfg(feature = "runtime")] 523 use alloc::sync::Arc; 524 #[cfg(feature = "runtime")] 525 use core::{ 526 net::{IpAddr, Ipv6Addr}, 527 time::Duration, 528 }; 529 use sha2::{Digest as _, Sha224, Sha256, Sha384, Sha512}; 530 #[cfg(feature = "runtime")] 531 use std::{fs, io::Error}; 532 #[cfg(feature = "runtime")] 533 use tokio::runtime::Builder; 534 #[cfg(feature = "runtime")] 535 use tokio_postgres::{ 536 Config, 537 config::{ChannelBinding, LoadBalanceHosts, SslMode, TargetSessionAttrs}, 538 }; 539 #[cfg(feature = "runtime")] 540 use tokio_rustls::rustls::{ 541 self, ClientConfig, RootCertStore, 542 pki_types::{ 543 CertificateDer, PrivateKeyDer, 544 pem::{Error as PemErr, PemObject as _}, 545 }, 546 version::TLS13, 547 }; 548 #[test] 549 fn parse_ed25519() { 550 /// Certificate that uses Ed25519. 551 const CERT: &[u8] = [ 552 48, 130, 1, 125, 48, 130, 1, 47, 160, 3, 2, 1, 2, 2, 1, 29, 48, 5, 6, 3, 43, 101, 112, 553 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 16, 48, 14, 6, 3, 85, 4, 10, 554 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 82, 111, 555 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 48, 52, 56, 48, 53, 90, 23, 13, 556 50, 53, 48, 51, 49, 54, 48, 48, 52, 56, 48, 53, 90, 48, 43, 49, 11, 48, 9, 6, 3, 85, 4, 557 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 84, 101, 115, 116, 49, 13, 558 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 42, 48, 5, 6, 3, 43, 101, 112, 3, 559 33, 0, 142, 168, 95, 146, 122, 142, 177, 52, 239, 161, 27, 41, 80, 58, 167, 248, 211, 560 181, 154, 201, 26, 195, 207, 27, 132, 228, 110, 149, 95, 212, 44, 202, 163, 117, 48, 561 115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 238, 12, 127, 172, 94, 237, 69, 62, 240, 562 99, 1, 2, 35, 161, 201, 129, 19, 85, 0, 227, 48, 12, 6, 3, 85, 29, 19, 1, 1, 255, 4, 2, 563 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85, 29, 37, 1, 1, 564 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29, 35, 4, 24, 48, 565 22, 128, 20, 199, 177, 144, 22, 54, 182, 183, 202, 234, 246, 98, 108, 85, 32, 30, 132, 566 146, 221, 218, 80, 48, 5, 6, 3, 43, 101, 112, 3, 65, 0, 133, 253, 192, 202, 50, 167, 567 57, 5, 246, 17, 58, 232, 188, 41, 147, 232, 35, 206, 147, 181, 0, 139, 95, 3, 24, 139, 568 17, 102, 113, 186, 146, 163, 97, 157, 255, 50, 193, 230, 159, 170, 218, 35, 56, 99, 89, 569 251, 173, 97, 106, 15, 52, 71, 209, 69, 109, 216, 140, 235, 37, 23, 185, 173, 215, 0, 570 ] 571 .as_slice(); 572 assert!(Hash::from_der_cert(CERT).is_some_and(|hash| match hash { 573 Hash::Sha256(ref sha_hash) => *sha_hash == Sha256::digest(CERT), 574 Hash::Sha384(_) | Hash::Sha512(_) | Hash::Sha224(_) => false, 575 })); 576 } 577 #[test] 578 fn parse_ecdsa_sha256() { 579 /// Certificate that uses ECDSA with SHA-256. 580 const CERT: &[u8] = [ 581 48, 130, 1, 189, 48, 130, 1, 99, 160, 3, 2, 1, 2, 2, 1, 27, 48, 10, 6, 8, 42, 134, 72, 582 206, 61, 4, 3, 2, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 16, 48, 14, 583 6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 3, 85, 4, 3, 584 12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 48, 52, 49, 51, 585 48, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 48, 52, 49, 51, 48, 90, 48, 43, 49, 11, 48, 586 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 84, 101, 115, 587 116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 89, 48, 19, 6, 7, 588 42, 134, 72, 206, 61, 2, 1, 6, 8, 42, 134, 72, 206, 61, 3, 1, 7, 3, 66, 0, 4, 195, 27, 589 22, 133, 220, 98, 146, 255, 201, 209, 114, 117, 93, 119, 207, 46, 228, 132, 210, 187, 590 134, 197, 201, 194, 147, 51, 111, 17, 187, 179, 129, 180, 129, 62, 164, 27, 199, 95, 591 59, 16, 167, 134, 233, 53, 127, 194, 187, 144, 193, 106, 100, 37, 104, 219, 164, 155, 592 58, 210, 106, 12, 192, 247, 72, 183, 163, 117, 48, 115, 48, 29, 6, 3, 85, 29, 14, 4, 593 22, 4, 20, 84, 214, 179, 28, 250, 191, 223, 88, 72, 221, 229, 63, 123, 177, 146, 167, 594 224, 18, 24, 0, 48, 12, 6, 3, 85, 29, 19, 1, 1, 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 595 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85, 29, 37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43, 596 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29, 35, 4, 24, 48, 22, 128, 20, 43, 80, 133, 597 205, 3, 144, 105, 186, 141, 39, 47, 176, 39, 123, 149, 250, 100, 138, 233, 225, 48, 10, 598 6, 8, 42, 134, 72, 206, 61, 4, 3, 2, 3, 72, 0, 48, 69, 2, 32, 107, 43, 12, 27, 111, 599 216, 19, 191, 199, 1, 202, 22, 147, 43, 16, 188, 36, 156, 141, 80, 115, 124, 160, 211, 600 19, 123, 41, 216, 94, 19, 236, 0, 2, 33, 0, 164, 138, 200, 40, 159, 245, 38, 70, 207, 601 160, 121, 19, 56, 240, 18, 222, 191, 196, 217, 129, 24, 92, 238, 43, 39, 29, 57, 85, 602 56, 11, 178, 88, 603 ] 604 .as_slice(); 605 assert!(Hash::from_der_cert(CERT).is_some_and(|hash| match hash { 606 Hash::Sha256(ref sha_hash) => *sha_hash == Sha256::digest(CERT), 607 Hash::Sha384(_) | Hash::Sha512(_) | Hash::Sha224(_) => false, 608 })); 609 } 610 #[test] 611 fn parse_ecdsa_sha384() { 612 /// Certificate that uses ECDSA with SHA-384. 613 const CERT: &[u8] = [ 614 48, 130, 1, 218, 48, 130, 1, 128, 160, 3, 2, 1, 2, 2, 1, 25, 48, 10, 6, 8, 42, 134, 72, 615 206, 61, 4, 3, 3, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 16, 48, 14, 616 6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 3, 85, 4, 3, 617 12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 48, 51, 57, 51, 618 55, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 48, 51, 57, 51, 55, 90, 48, 43, 49, 11, 48, 619 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 84, 101, 115, 620 116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 118, 48, 16, 6, 7, 621 42, 134, 72, 206, 61, 2, 1, 6, 5, 43, 129, 4, 0, 34, 3, 98, 0, 4, 246, 106, 156, 228, 622 83, 166, 254, 62, 196, 22, 127, 171, 204, 182, 154, 182, 253, 35, 95, 120, 253, 231, 623 78, 20, 146, 203, 186, 201, 147, 48, 197, 96, 195, 202, 5, 235, 201, 168, 28, 117, 62, 624 47, 121, 211, 58, 67, 32, 96, 129, 15, 215, 172, 135, 222, 180, 101, 196, 18, 41, 107, 625 6, 161, 172, 183, 217, 106, 227, 24, 140, 13, 145, 245, 137, 185, 4, 78, 210, 56, 235, 626 159, 203, 241, 203, 239, 39, 90, 98, 227, 215, 221, 119, 65, 47, 68, 2, 200, 163, 117, 627 48, 115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 88, 91, 22, 70, 200, 54, 182, 100, 628 191, 186, 73, 152, 174, 87, 56, 64, 26, 173, 27, 43, 48, 12, 6, 3, 85, 29, 19, 1, 1, 629 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85, 29, 630 37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29, 35, 631 4, 24, 48, 22, 128, 20, 43, 80, 133, 205, 3, 144, 105, 186, 141, 39, 47, 176, 39, 123, 632 149, 250, 100, 138, 233, 225, 48, 10, 6, 8, 42, 134, 72, 206, 61, 4, 3, 3, 3, 72, 0, 633 48, 69, 2, 33, 0, 210, 47, 45, 107, 132, 43, 161, 65, 132, 15, 148, 184, 203, 125, 234, 634 232, 111, 216, 238, 113, 187, 201, 114, 177, 218, 234, 201, 126, 204, 118, 80, 225, 2, 635 32, 67, 111, 72, 96, 182, 167, 191, 130, 118, 105, 253, 133, 58, 38, 65, 112, 234, 3, 636 23, 77, 182, 0, 195, 80, 181, 65, 76, 243, 4, 145, 200, 255, 637 ] 638 .as_slice(); 639 assert!(Hash::from_der_cert(CERT).is_some_and(|hash| match hash { 640 Hash::Sha384(ref sha_hash) => *sha_hash == Sha384::digest(CERT), 641 Hash::Sha256(_) | Hash::Sha512(_) | Hash::Sha224(_) => false, 642 })); 643 } 644 #[test] 645 fn parse_ecdsa_sha512() { 646 /// Certificate that uses ECDSA with SHA-512. 647 const CERT: &[u8] = [ 648 48, 130, 2, 1, 48, 130, 1, 166, 160, 3, 2, 1, 2, 2, 1, 24, 48, 10, 6, 8, 42, 134, 72, 649 206, 61, 4, 3, 4, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 16, 48, 14, 650 6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 3, 85, 4, 3, 651 12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 48, 51, 56, 51, 652 54, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 48, 51, 56, 51, 54, 90, 48, 43, 49, 11, 48, 653 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 84, 101, 115, 654 116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 129, 155, 48, 16, 6, 655 7, 42, 134, 72, 206, 61, 2, 1, 6, 5, 43, 129, 4, 0, 35, 3, 129, 134, 0, 4, 1, 86, 143, 656 210, 217, 20, 143, 103, 172, 34, 97, 62, 173, 15, 43, 199, 93, 220, 81, 75, 137, 219, 657 111, 217, 127, 6, 8, 115, 160, 121, 146, 138, 64, 110, 14, 193, 98, 164, 226, 208, 89, 658 120, 108, 30, 107, 77, 194, 63, 41, 112, 173, 112, 44, 85, 54, 155, 168, 189, 235, 129, 659 214, 104, 152, 198, 252, 62, 1, 87, 193, 205, 162, 152, 15, 26, 111, 231, 183, 106, 660 145, 29, 251, 188, 148, 239, 192, 53, 186, 34, 13, 104, 231, 85, 127, 17, 67, 54, 116, 661 232, 85, 23, 143, 68, 171, 30, 25, 155, 201, 171, 106, 89, 20, 234, 12, 192, 68, 102, 662 166, 50, 246, 130, 117, 62, 222, 142, 98, 62, 43, 9, 109, 74, 138, 180, 163, 117, 48, 663 115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 148, 160, 104, 250, 171, 155, 48, 171, 13, 664 164, 221, 144, 240, 194, 250, 9, 183, 72, 158, 141, 48, 12, 6, 3, 85, 29, 19, 1, 1, 665 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85, 29, 666 37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29, 35, 667 4, 24, 48, 22, 128, 20, 43, 80, 133, 205, 3, 144, 105, 186, 141, 39, 47, 176, 39, 123, 668 149, 250, 100, 138, 233, 225, 48, 10, 6, 8, 42, 134, 72, 206, 61, 4, 3, 4, 3, 73, 0, 669 48, 70, 2, 33, 0, 179, 24, 50, 50, 127, 141, 167, 197, 29, 35, 234, 81, 215, 112, 233, 670 218, 84, 151, 136, 117, 40, 106, 164, 156, 205, 75, 6, 133, 64, 52, 161, 116, 2, 33, 0, 671 141, 178, 46, 201, 22, 126, 42, 84, 96, 191, 175, 219, 140, 72, 252, 6, 152, 112, 113, 672 232, 38, 101, 11, 215, 20, 143, 22, 199, 38, 237, 179, 108, 673 ] 674 .as_slice(); 675 assert!(Hash::from_der_cert(CERT).is_some_and(|hash| match hash { 676 Hash::Sha512(ref sha_hash) => *sha_hash == Sha512::digest(CERT), 677 Hash::Sha256(_) | Hash::Sha384(_) | Hash::Sha224(_) => false, 678 })); 679 } 680 #[test] 681 fn parse_ecdsa_sha224() { 682 /// Certificate that uses ECDSA with SHA-224. 683 const CERT: &[u8] = [ 684 48, 130, 1, 178, 48, 130, 1, 88, 160, 3, 2, 1, 2, 2, 1, 28, 48, 10, 6, 8, 42, 134, 72, 685 206, 61, 4, 3, 1, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 16, 48, 14, 686 6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 3, 85, 4, 3, 687 12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 48, 52, 50, 49, 688 52, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 48, 52, 50, 49, 52, 90, 48, 43, 49, 11, 48, 689 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 84, 101, 115, 690 116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 78, 48, 16, 6, 7, 691 42, 134, 72, 206, 61, 2, 1, 6, 5, 43, 129, 4, 0, 33, 3, 58, 0, 4, 235, 241, 149, 78, 692 60, 248, 123, 132, 195, 228, 188, 151, 240, 28, 76, 198, 207, 121, 165, 126, 245, 158, 693 214, 232, 69, 198, 114, 117, 86, 137, 15, 86, 40, 171, 27, 36, 8, 43, 190, 138, 193, 694 136, 118, 43, 29, 119, 182, 21, 14, 123, 110, 81, 81, 72, 44, 195, 163, 117, 48, 115, 695 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 203, 141, 20, 54, 48, 176, 180, 57, 46, 1, 91, 696 221, 116, 154, 205, 81, 187, 184, 24, 211, 48, 12, 6, 3, 85, 29, 19, 1, 1, 255, 4, 2, 697 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85, 29, 37, 1, 1, 698 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29, 35, 4, 24, 48, 699 22, 128, 20, 43, 80, 133, 205, 3, 144, 105, 186, 141, 39, 47, 176, 39, 123, 149, 250, 700 100, 138, 233, 225, 48, 10, 6, 8, 42, 134, 72, 206, 61, 4, 3, 1, 3, 72, 0, 48, 69, 2, 701 32, 64, 186, 179, 226, 82, 176, 87, 158, 166, 22, 31, 27, 19, 190, 112, 167, 241, 159, 702 33, 198, 60, 70, 68, 120, 19, 63, 33, 244, 236, 240, 216, 181, 2, 33, 0, 252, 183, 115, 703 52, 189, 151, 44, 178, 62, 209, 159, 31, 154, 152, 69, 189, 121, 148, 57, 231, 27, 22, 704 165, 212, 65, 202, 124, 15, 53, 150, 93, 183, 705 ] 706 .as_slice(); 707 assert!(Hash::from_der_cert(CERT).is_some_and(|hash| match hash { 708 Hash::Sha224(ref sha_hash) => *sha_hash == Sha224::digest(CERT), 709 Hash::Sha256(_) | Hash::Sha384(_) | Hash::Sha512(_) => false, 710 })); 711 } 712 #[test] 713 fn parse_rsa_sha256() { 714 /// Certificate that uses RSA with SHA-256. 715 const CERT: &[u8] = [ 716 48, 130, 3, 73, 48, 130, 2, 49, 160, 3, 2, 1, 2, 2, 1, 31, 48, 13, 6, 9, 42, 134, 72, 717 134, 247, 13, 1, 1, 11, 5, 0, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 718 16, 48, 14, 6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 719 3, 85, 4, 3, 12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 49, 720 48, 51, 48, 53, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 49, 48, 51, 48, 53, 90, 48, 43, 721 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 722 84, 101, 115, 116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 130, 723 1, 34, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 1, 5, 0, 3, 130, 1, 15, 0, 48, 724 130, 1, 10, 2, 130, 1, 1, 0, 157, 28, 83, 190, 61, 252, 154, 205, 112, 191, 153, 197, 725 22, 159, 92, 161, 84, 84, 181, 67, 218, 26, 189, 52, 245, 184, 150, 248, 142, 15, 214, 726 118, 205, 243, 107, 45, 103, 205, 9, 198, 129, 115, 7, 195, 115, 131, 34, 244, 217, 42, 727 234, 170, 84, 41, 128, 49, 81, 175, 208, 42, 100, 168, 44, 145, 226, 11, 98, 245, 83, 728 134, 213, 30, 76, 239, 43, 82, 222, 175, 254, 135, 124, 16, 218, 105, 159, 219, 43, 8, 729 109, 1, 228, 16, 190, 160, 28, 100, 120, 245, 100, 164, 45, 128, 181, 238, 152, 227, 730 50, 63, 162, 191, 4, 173, 210, 254, 31, 141, 66, 193, 237, 20, 92, 34, 13, 74, 135, 80, 731 201, 12, 158, 51, 54, 91, 53, 97, 115, 212, 97, 6, 160, 45, 77, 40, 165, 55, 128, 230, 732 105, 31, 76, 197, 211, 111, 197, 169, 167, 136, 2, 249, 117, 65, 127, 163, 217, 169, 733 151, 97, 209, 194, 179, 203, 81, 58, 52, 66, 11, 184, 172, 97, 70, 124, 125, 151, 159, 734 102, 224, 24, 159, 233, 169, 95, 66, 17, 180, 69, 48, 233, 5, 250, 37, 55, 35, 200, 735 212, 225, 197, 240, 19, 22, 106, 101, 171, 190, 135, 3, 75, 157, 240, 149, 107, 208, 736 94, 58, 244, 204, 105, 9, 32, 203, 162, 194, 39, 12, 97, 16, 153, 236, 60, 93, 24, 252, 737 103, 231, 164, 19, 55, 233, 181, 103, 135, 187, 40, 202, 210, 125, 88, 73, 2, 3, 1, 0, 738 1, 163, 117, 48, 115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 91, 156, 56, 249, 82, 5, 739 5, 2, 2, 21, 57, 237, 90, 8, 188, 55, 139, 113, 229, 132, 48, 12, 6, 3, 85, 29, 19, 1, 740 1, 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85, 741 29, 37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29, 742 35, 4, 24, 48, 22, 128, 20, 96, 178, 34, 145, 205, 104, 56, 196, 211, 241, 34, 247, 743 125, 194, 215, 110, 191, 133, 151, 15, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 744 11, 5, 0, 3, 130, 1, 1, 0, 28, 109, 109, 197, 99, 197, 36, 180, 154, 215, 173, 215, 24, 745 94, 47, 218, 147, 163, 179, 123, 248, 3, 144, 109, 173, 207, 49, 113, 249, 188, 31, 746 178, 16, 88, 88, 56, 11, 86, 127, 193, 23, 165, 65, 190, 84, 170, 156, 190, 52, 87, 747 119, 213, 106, 184, 11, 204, 151, 148, 205, 100, 233, 46, 170, 45, 161, 100, 58, 46, 748 105, 25, 150, 78, 146, 41, 100, 125, 203, 214, 238, 104, 251, 25, 183, 66, 102, 241, 749 110, 56, 55, 205, 122, 234, 205, 90, 91, 247, 143, 129, 217, 6, 190, 120, 18, 190, 11, 750 121, 207, 142, 170, 57, 236, 243, 113, 53, 167, 188, 26, 134, 175, 107, 195, 48, 119, 751 78, 117, 157, 104, 247, 65, 122, 153, 234, 166, 88, 142, 228, 25, 120, 243, 51, 111, 8, 752 43, 199, 255, 162, 186, 18, 64, 54, 96, 44, 138, 144, 237, 89, 176, 189, 245, 194, 96, 753 232, 196, 0, 50, 51, 98, 32, 163, 177, 130, 113, 41, 116, 33, 40, 190, 111, 79, 108, 754 107, 159, 65, 87, 222, 173, 170, 39, 29, 97, 240, 107, 130, 101, 247, 123, 85, 123, 755 247, 221, 89, 159, 114, 157, 35, 153, 22, 127, 149, 224, 158, 236, 4, 137, 193, 135, 756 136, 97, 222, 83, 232, 205, 148, 127, 139, 78, 220, 10, 183, 139, 205, 190, 181, 36, 757 61, 155, 88, 163, 50, 120, 153, 41, 182, 75, 219, 95, 25, 40, 229, 106, 87, 215, 77, 758 50, 219, 97, 759 ] 760 .as_slice(); 761 assert!(Hash::from_der_cert(CERT).is_some_and(|hash| match hash { 762 Hash::Sha256(ref sha_hash) => *sha_hash == Sha256::digest(CERT), 763 Hash::Sha384(_) | Hash::Sha512(_) | Hash::Sha224(_) => false, 764 })); 765 } 766 #[test] 767 fn parse_rsa_sha384() { 768 /// Certificate that uses RSA with SHA-384. 769 const CERT: &[u8] = [ 770 48, 130, 3, 73, 48, 130, 2, 49, 160, 3, 2, 1, 2, 2, 1, 32, 48, 13, 6, 9, 42, 134, 72, 771 134, 247, 13, 1, 1, 12, 5, 0, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 772 16, 48, 14, 6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 773 3, 85, 4, 3, 12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 49, 774 48, 53, 52, 54, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 49, 48, 53, 52, 54, 90, 48, 43, 775 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 776 84, 101, 115, 116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 130, 777 1, 34, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 1, 5, 0, 3, 130, 1, 15, 0, 48, 778 130, 1, 10, 2, 130, 1, 1, 0, 157, 28, 83, 190, 61, 252, 154, 205, 112, 191, 153, 197, 779 22, 159, 92, 161, 84, 84, 181, 67, 218, 26, 189, 52, 245, 184, 150, 248, 142, 15, 214, 780 118, 205, 243, 107, 45, 103, 205, 9, 198, 129, 115, 7, 195, 115, 131, 34, 244, 217, 42, 781 234, 170, 84, 41, 128, 49, 81, 175, 208, 42, 100, 168, 44, 145, 226, 11, 98, 245, 83, 782 134, 213, 30, 76, 239, 43, 82, 222, 175, 254, 135, 124, 16, 218, 105, 159, 219, 43, 8, 783 109, 1, 228, 16, 190, 160, 28, 100, 120, 245, 100, 164, 45, 128, 181, 238, 152, 227, 784 50, 63, 162, 191, 4, 173, 210, 254, 31, 141, 66, 193, 237, 20, 92, 34, 13, 74, 135, 80, 785 201, 12, 158, 51, 54, 91, 53, 97, 115, 212, 97, 6, 160, 45, 77, 40, 165, 55, 128, 230, 786 105, 31, 76, 197, 211, 111, 197, 169, 167, 136, 2, 249, 117, 65, 127, 163, 217, 169, 787 151, 97, 209, 194, 179, 203, 81, 58, 52, 66, 11, 184, 172, 97, 70, 124, 125, 151, 159, 788 102, 224, 24, 159, 233, 169, 95, 66, 17, 180, 69, 48, 233, 5, 250, 37, 55, 35, 200, 789 212, 225, 197, 240, 19, 22, 106, 101, 171, 190, 135, 3, 75, 157, 240, 149, 107, 208, 790 94, 58, 244, 204, 105, 9, 32, 203, 162, 194, 39, 12, 97, 16, 153, 236, 60, 93, 24, 252, 791 103, 231, 164, 19, 55, 233, 181, 103, 135, 187, 40, 202, 210, 125, 88, 73, 2, 3, 1, 0, 792 1, 163, 117, 48, 115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 91, 156, 56, 249, 82, 5, 793 5, 2, 2, 21, 57, 237, 90, 8, 188, 55, 139, 113, 229, 132, 48, 12, 6, 3, 85, 29, 19, 1, 794 1, 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85, 795 29, 37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29, 796 35, 4, 24, 48, 22, 128, 20, 96, 178, 34, 145, 205, 104, 56, 196, 211, 241, 34, 247, 797 125, 194, 215, 110, 191, 133, 151, 15, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 798 12, 5, 0, 3, 130, 1, 1, 0, 135, 249, 101, 184, 225, 162, 164, 193, 23, 81, 98, 221, 799 134, 87, 34, 94, 229, 131, 221, 17, 38, 61, 156, 200, 113, 94, 244, 188, 226, 84, 74, 800 96, 205, 237, 230, 242, 168, 238, 178, 133, 68, 188, 80, 244, 60, 42, 169, 54, 66, 79, 801 104, 66, 251, 27, 240, 108, 16, 46, 175, 62, 240, 194, 7, 181, 238, 211, 118, 149, 150, 802 46, 97, 39, 28, 173, 225, 49, 73, 206, 147, 101, 12, 192, 218, 119, 208, 73, 20, 208, 803 229, 216, 133, 213, 28, 165, 70, 20, 158, 114, 223, 40, 121, 13, 236, 218, 165, 237, 804 164, 196, 94, 80, 120, 49, 212, 241, 213, 197, 201, 104, 67, 223, 130, 148, 197, 251, 805 199, 167, 6, 89, 146, 139, 141, 32, 78, 72, 190, 146, 94, 251, 208, 47, 118, 173, 111, 806 92, 241, 102, 26, 233, 145, 46, 220, 230, 5, 147, 220, 92, 240, 133, 24, 192, 71, 49, 807 252, 84, 163, 132, 34, 139, 12, 106, 4, 189, 151, 37, 34, 123, 26, 42, 84, 46, 232, 14, 808 129, 101, 84, 26, 25, 219, 11, 115, 214, 106, 12, 75, 199, 248, 218, 239, 209, 32, 159, 809 40, 192, 11, 2, 175, 51, 232, 20, 8, 72, 188, 184, 177, 22, 251, 238, 42, 74, 21, 25, 810 93, 77, 184, 5, 207, 101, 98, 60, 214, 173, 169, 56, 54, 211, 167, 55, 34, 14, 184, 25, 811 4, 170, 108, 94, 110, 27, 45, 11, 22, 61, 130, 63, 214, 168, 72, 812 ] 813 .as_slice(); 814 assert!(Hash::from_der_cert(CERT).is_some_and(|hash| match hash { 815 Hash::Sha384(ref sha_hash) => *sha_hash == Sha384::digest(CERT), 816 Hash::Sha256(_) | Hash::Sha512(_) | Hash::Sha224(_) => false, 817 })); 818 } 819 #[test] 820 fn parse_rsa_sha512() { 821 /// Certificate that uses RSA with SHA-512. 822 const CERT: &[u8] = [ 823 48, 130, 3, 73, 48, 130, 2, 49, 160, 3, 2, 1, 2, 2, 1, 33, 48, 13, 6, 9, 42, 134, 72, 824 134, 247, 13, 1, 1, 13, 5, 0, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 825 16, 48, 14, 6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 826 3, 85, 4, 3, 12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 49, 827 48, 54, 52, 53, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 49, 48, 54, 52, 53, 90, 48, 43, 828 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 829 84, 101, 115, 116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 130, 830 1, 34, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 1, 5, 0, 3, 130, 1, 15, 0, 48, 831 130, 1, 10, 2, 130, 1, 1, 0, 157, 28, 83, 190, 61, 252, 154, 205, 112, 191, 153, 197, 832 22, 159, 92, 161, 84, 84, 181, 67, 218, 26, 189, 52, 245, 184, 150, 248, 142, 15, 214, 833 118, 205, 243, 107, 45, 103, 205, 9, 198, 129, 115, 7, 195, 115, 131, 34, 244, 217, 42, 834 234, 170, 84, 41, 128, 49, 81, 175, 208, 42, 100, 168, 44, 145, 226, 11, 98, 245, 83, 835 134, 213, 30, 76, 239, 43, 82, 222, 175, 254, 135, 124, 16, 218, 105, 159, 219, 43, 8, 836 109, 1, 228, 16, 190, 160, 28, 100, 120, 245, 100, 164, 45, 128, 181, 238, 152, 227, 837 50, 63, 162, 191, 4, 173, 210, 254, 31, 141, 66, 193, 237, 20, 92, 34, 13, 74, 135, 80, 838 201, 12, 158, 51, 54, 91, 53, 97, 115, 212, 97, 6, 160, 45, 77, 40, 165, 55, 128, 230, 839 105, 31, 76, 197, 211, 111, 197, 169, 167, 136, 2, 249, 117, 65, 127, 163, 217, 169, 840 151, 97, 209, 194, 179, 203, 81, 58, 52, 66, 11, 184, 172, 97, 70, 124, 125, 151, 159, 841 102, 224, 24, 159, 233, 169, 95, 66, 17, 180, 69, 48, 233, 5, 250, 37, 55, 35, 200, 842 212, 225, 197, 240, 19, 22, 106, 101, 171, 190, 135, 3, 75, 157, 240, 149, 107, 208, 843 94, 58, 244, 204, 105, 9, 32, 203, 162, 194, 39, 12, 97, 16, 153, 236, 60, 93, 24, 252, 844 103, 231, 164, 19, 55, 233, 181, 103, 135, 187, 40, 202, 210, 125, 88, 73, 2, 3, 1, 0, 845 1, 163, 117, 48, 115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 91, 156, 56, 249, 82, 5, 846 5, 2, 2, 21, 57, 237, 90, 8, 188, 55, 139, 113, 229, 132, 48, 12, 6, 3, 85, 29, 19, 1, 847 1, 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85, 848 29, 37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29, 849 35, 4, 24, 48, 22, 128, 20, 96, 178, 34, 145, 205, 104, 56, 196, 211, 241, 34, 247, 850 125, 194, 215, 110, 191, 133, 151, 15, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 851 13, 5, 0, 3, 130, 1, 1, 0, 106, 7, 136, 82, 232, 55, 0, 98, 9, 211, 201, 57, 239, 67, 852 167, 139, 225, 164, 231, 255, 10, 52, 47, 234, 254, 75, 239, 241, 39, 6, 226, 209, 210, 853 169, 200, 32, 255, 83, 159, 23, 146, 9, 109, 173, 236, 216, 253, 199, 229, 23, 227, 33, 854 56, 98, 109, 59, 2, 167, 29, 118, 251, 82, 193, 39, 244, 191, 166, 194, 160, 105, 197, 855 190, 213, 141, 193, 50, 45, 245, 163, 229, 116, 221, 29, 194, 91, 198, 187, 21, 224, 856 95, 17, 203, 148, 160, 4, 15, 54, 249, 69, 12, 18, 25, 58, 190, 205, 44, 157, 184, 1, 857 25, 64, 219, 237, 196, 33, 101, 255, 146, 232, 112, 247, 214, 174, 252, 152, 146, 142, 858 231, 81, 35, 240, 216, 98, 136, 65, 179, 237, 207, 229, 198, 72, 175, 244, 31, 126, 859 106, 107, 100, 200, 81, 227, 41, 61, 26, 122, 226, 121, 219, 131, 212, 206, 238, 14, 860 210, 70, 60, 107, 115, 214, 67, 180, 133, 157, 114, 138, 63, 249, 71, 235, 41, 246, 14, 861 14, 4, 254, 208, 215, 111, 196, 248, 117, 61, 44, 67, 185, 11, 132, 10, 188, 220, 110, 862 78, 61, 171, 88, 172, 161, 1, 223, 52, 75, 101, 55, 249, 125, 178, 141, 127, 0, 246, 863 176, 34, 120, 93, 214, 37, 210, 148, 217, 149, 255, 63, 32, 58, 8, 71, 179, 62, 119, 864 14, 47, 191, 207, 137, 22, 255, 21, 71, 46, 42, 176, 31, 206, 146, 248, 105, 865 ] 866 .as_slice(); 867 assert!(Hash::from_der_cert(CERT).is_some_and(|hash| match hash { 868 Hash::Sha512(ref sha_hash) => *sha_hash == Sha512::digest(CERT), 869 Hash::Sha256(_) | Hash::Sha384(_) | Hash::Sha224(_) => false, 870 })); 871 } 872 #[test] 873 fn parse_rsa_sha224() { 874 /// Certificate that uses RSA with SHA-224. 875 const CERT: &[u8] = [ 876 48, 130, 3, 73, 48, 130, 2, 49, 160, 3, 2, 1, 2, 2, 1, 30, 48, 13, 6, 9, 42, 134, 72, 877 134, 247, 13, 1, 1, 14, 5, 0, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 878 16, 48, 14, 6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 879 3, 85, 4, 3, 12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 48, 880 53, 57, 50, 56, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 48, 53, 57, 50, 56, 90, 48, 43, 881 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 882 84, 101, 115, 116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 130, 883 1, 34, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 1, 5, 0, 3, 130, 1, 15, 0, 48, 884 130, 1, 10, 2, 130, 1, 1, 0, 157, 28, 83, 190, 61, 252, 154, 205, 112, 191, 153, 197, 885 22, 159, 92, 161, 84, 84, 181, 67, 218, 26, 189, 52, 245, 184, 150, 248, 142, 15, 214, 886 118, 205, 243, 107, 45, 103, 205, 9, 198, 129, 115, 7, 195, 115, 131, 34, 244, 217, 42, 887 234, 170, 84, 41, 128, 49, 81, 175, 208, 42, 100, 168, 44, 145, 226, 11, 98, 245, 83, 888 134, 213, 30, 76, 239, 43, 82, 222, 175, 254, 135, 124, 16, 218, 105, 159, 219, 43, 8, 889 109, 1, 228, 16, 190, 160, 28, 100, 120, 245, 100, 164, 45, 128, 181, 238, 152, 227, 890 50, 63, 162, 191, 4, 173, 210, 254, 31, 141, 66, 193, 237, 20, 92, 34, 13, 74, 135, 80, 891 201, 12, 158, 51, 54, 91, 53, 97, 115, 212, 97, 6, 160, 45, 77, 40, 165, 55, 128, 230, 892 105, 31, 76, 197, 211, 111, 197, 169, 167, 136, 2, 249, 117, 65, 127, 163, 217, 169, 893 151, 97, 209, 194, 179, 203, 81, 58, 52, 66, 11, 184, 172, 97, 70, 124, 125, 151, 159, 894 102, 224, 24, 159, 233, 169, 95, 66, 17, 180, 69, 48, 233, 5, 250, 37, 55, 35, 200, 895 212, 225, 197, 240, 19, 22, 106, 101, 171, 190, 135, 3, 75, 157, 240, 149, 107, 208, 896 94, 58, 244, 204, 105, 9, 32, 203, 162, 194, 39, 12, 97, 16, 153, 236, 60, 93, 24, 252, 897 103, 231, 164, 19, 55, 233, 181, 103, 135, 187, 40, 202, 210, 125, 88, 73, 2, 3, 1, 0, 898 1, 163, 117, 48, 115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 91, 156, 56, 249, 82, 5, 899 5, 2, 2, 21, 57, 237, 90, 8, 188, 55, 139, 113, 229, 132, 48, 12, 6, 3, 85, 29, 19, 1, 900 1, 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85, 901 29, 37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29, 902 35, 4, 24, 48, 22, 128, 20, 96, 178, 34, 145, 205, 104, 56, 196, 211, 241, 34, 247, 903 125, 194, 215, 110, 191, 133, 151, 15, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 904 14, 5, 0, 3, 130, 1, 1, 0, 122, 121, 0, 201, 250, 195, 66, 213, 60, 117, 213, 188, 93, 905 193, 88, 130, 241, 219, 111, 238, 109, 38, 220, 131, 164, 12, 135, 169, 58, 140, 214, 906 211, 93, 51, 204, 242, 10, 119, 123, 23, 69, 67, 135, 151, 245, 23, 144, 61, 233, 229, 907 122, 189, 111, 89, 190, 100, 251, 86, 185, 246, 40, 121, 190, 192, 199, 119, 232, 209, 908 202, 23, 20, 46, 48, 235, 175, 240, 225, 106, 6, 24, 239, 172, 51, 196, 63, 189, 210, 909 167, 244, 87, 245, 193, 130, 33, 171, 165, 117, 180, 25, 250, 21, 6, 208, 124, 254, 64, 910 180, 50, 124, 234, 179, 121, 183, 0, 71, 118, 28, 115, 86, 117, 60, 96, 164, 33, 54, 1, 911 86, 234, 132, 146, 156, 221, 52, 28, 39, 237, 128, 75, 157, 169, 203, 26, 48, 74, 4, 912 129, 162, 139, 235, 16, 74, 236, 151, 0, 150, 234, 246, 204, 180, 240, 31, 92, 129, 51, 913 221, 118, 10, 192, 140, 32, 33, 21, 223, 113, 35, 86, 47, 236, 159, 252, 52, 185, 41, 914 151, 56, 126, 251, 165, 126, 214, 27, 213, 169, 211, 174, 26, 55, 21, 11, 187, 189, 96, 915 67, 141, 124, 178, 51, 37, 80, 17, 220, 210, 193, 243, 127, 46, 82, 75, 172, 187, 156, 916 222, 186, 3, 13, 194, 104, 234, 131, 96, 99, 34, 1, 61, 149, 219, 33, 227, 34, 215, 917 211, 82, 106, 57, 61, 185, 178, 1, 191, 14, 196, 52, 5, 38, 27, 232, 918 ] 919 .as_slice(); 920 assert!(Hash::from_der_cert(CERT).is_some_and(|hash| match hash { 921 Hash::Sha224(ref sha_hash) => *sha_hash == Sha224::digest(CERT), 922 Hash::Sha256(_) | Hash::Sha384(_) | Hash::Sha512(_) => false, 923 })); 924 } 925 #[test] 926 fn parse_rsa_sha1() { 927 /// Certificate that uses RSA with SHA-1. 928 const CERT: &[u8] = [ 929 48, 130, 3, 73, 48, 130, 2, 49, 160, 3, 2, 1, 2, 2, 1, 34, 48, 13, 6, 9, 42, 134, 72, 930 134, 247, 13, 1, 1, 5, 5, 0, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 931 16, 48, 14, 6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 932 3, 85, 4, 3, 12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 49, 933 48, 57, 50, 56, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 49, 48, 57, 50, 56, 90, 48, 43, 934 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 935 84, 101, 115, 116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 130, 936 1, 34, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 1, 5, 0, 3, 130, 1, 15, 0, 48, 937 130, 1, 10, 2, 130, 1, 1, 0, 157, 28, 83, 190, 61, 252, 154, 205, 112, 191, 153, 197, 938 22, 159, 92, 161, 84, 84, 181, 67, 218, 26, 189, 52, 245, 184, 150, 248, 142, 15, 214, 939 118, 205, 243, 107, 45, 103, 205, 9, 198, 129, 115, 7, 195, 115, 131, 34, 244, 217, 42, 940 234, 170, 84, 41, 128, 49, 81, 175, 208, 42, 100, 168, 44, 145, 226, 11, 98, 245, 83, 941 134, 213, 30, 76, 239, 43, 82, 222, 175, 254, 135, 124, 16, 218, 105, 159, 219, 43, 8, 942 109, 1, 228, 16, 190, 160, 28, 100, 120, 245, 100, 164, 45, 128, 181, 238, 152, 227, 943 50, 63, 162, 191, 4, 173, 210, 254, 31, 141, 66, 193, 237, 20, 92, 34, 13, 74, 135, 80, 944 201, 12, 158, 51, 54, 91, 53, 97, 115, 212, 97, 6, 160, 45, 77, 40, 165, 55, 128, 230, 945 105, 31, 76, 197, 211, 111, 197, 169, 167, 136, 2, 249, 117, 65, 127, 163, 217, 169, 946 151, 97, 209, 194, 179, 203, 81, 58, 52, 66, 11, 184, 172, 97, 70, 124, 125, 151, 159, 947 102, 224, 24, 159, 233, 169, 95, 66, 17, 180, 69, 48, 233, 5, 250, 37, 55, 35, 200, 948 212, 225, 197, 240, 19, 22, 106, 101, 171, 190, 135, 3, 75, 157, 240, 149, 107, 208, 949 94, 58, 244, 204, 105, 9, 32, 203, 162, 194, 39, 12, 97, 16, 153, 236, 60, 93, 24, 252, 950 103, 231, 164, 19, 55, 233, 181, 103, 135, 187, 40, 202, 210, 125, 88, 73, 2, 3, 1, 0, 951 1, 163, 117, 48, 115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 91, 156, 56, 249, 82, 5, 952 5, 2, 2, 21, 57, 237, 90, 8, 188, 55, 139, 113, 229, 132, 48, 12, 6, 3, 85, 29, 19, 1, 953 1, 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85, 954 29, 37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29, 955 35, 4, 24, 48, 22, 128, 20, 96, 178, 34, 145, 205, 104, 56, 196, 211, 241, 34, 247, 956 125, 194, 215, 110, 191, 133, 151, 15, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 957 5, 5, 0, 3, 130, 1, 1, 0, 12, 93, 61, 154, 152, 205, 44, 219, 157, 214, 4, 162, 93, 85, 958 60, 231, 231, 206, 193, 160, 133, 28, 61, 113, 102, 120, 137, 120, 175, 11, 244, 113, 959 217, 81, 151, 123, 210, 108, 156, 145, 99, 158, 104, 10, 25, 129, 95, 128, 140, 44, 960 153, 65, 175, 32, 37, 189, 186, 43, 101, 153, 98, 160, 95, 13, 154, 86, 221, 99, 210, 961 157, 25, 41, 98, 79, 252, 2, 8, 221, 120, 71, 54, 221, 34, 180, 109, 181, 185, 58, 2, 962 119, 167, 50, 172, 167, 192, 136, 24, 227, 40, 211, 18, 98, 2, 175, 174, 42, 100, 136, 963 83, 116, 7, 50, 50, 215, 164, 90, 49, 231, 106, 240, 246, 95, 236, 60, 198, 97, 200, 964 140, 23, 168, 183, 174, 132, 39, 251, 61, 112, 226, 66, 68, 16, 23, 213, 129, 86, 196, 965 248, 82, 141, 82, 107, 246, 224, 37, 94, 95, 134, 139, 75, 15, 70, 54, 47, 80, 19, 143, 966 48, 171, 113, 130, 226, 180, 39, 18, 44, 117, 113, 196, 20, 11, 82, 174, 251, 197, 216, 967 152, 229, 188, 148, 191, 165, 149, 50, 127, 172, 111, 95, 194, 63, 238, 112, 154, 85, 968 98, 18, 236, 13, 123, 232, 90, 47, 180, 36, 148, 77, 192, 45, 113, 150, 10, 254, 99, 0, 969 30, 87, 80, 22, 61, 78, 66, 180, 251, 220, 8, 78, 175, 251, 27, 201, 79, 197, 45, 127, 970 143, 163, 7, 252, 246, 45, 127, 87, 224, 125, 175, 245, 115, 971 ] 972 .as_slice(); 973 assert!(Hash::from_der_cert(CERT).is_some_and(|hash| match hash { 974 Hash::Sha256(ref sha_hash) => *sha_hash == Sha256::digest(CERT), 975 Hash::Sha384(_) | Hash::Sha512(_) | Hash::Sha224(_) => false, 976 })); 977 } 978 #[test] 979 fn parse_dsa_sha256() { 980 /// Certificate that uses DSA with SHA-256. 981 const CERT: &[u8] = [ 982 48, 130, 4, 162, 48, 130, 4, 79, 160, 3, 2, 1, 2, 2, 1, 37, 48, 11, 6, 9, 96, 134, 72, 983 1, 101, 3, 4, 3, 2, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 16, 48, 984 14, 6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 3, 85, 4, 985 3, 12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 49, 50, 51, 986 48, 51, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 49, 50, 51, 48, 51, 90, 48, 43, 49, 11, 987 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 84, 101, 988 115, 116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 130, 3, 66, 48, 989 130, 2, 53, 6, 7, 42, 134, 72, 206, 56, 4, 1, 48, 130, 2, 40, 2, 130, 1, 1, 0, 172, 11, 990 194, 123, 239, 38, 183, 160, 91, 74, 179, 251, 72, 80, 38, 223, 195, 46, 238, 2, 67, 991 45, 138, 58, 62, 57, 85, 203, 148, 194, 164, 178, 195, 150, 29, 93, 245, 157, 225, 189, 992 125, 209, 186, 83, 234, 14, 179, 116, 156, 216, 112, 205, 152, 26, 168, 175, 111, 106, 993 249, 235, 49, 40, 246, 31, 152, 214, 59, 117, 64, 109, 28, 167, 222, 155, 132, 192, 994 180, 240, 8, 80, 209, 209, 119, 53, 165, 51, 189, 18, 158, 176, 171, 45, 160, 54, 8, 995 75, 146, 92, 245, 202, 188, 144, 36, 156, 127, 140, 220, 144, 56, 95, 38, 112, 44, 221, 996 159, 9, 159, 189, 153, 150, 88, 84, 73, 138, 6, 73, 141, 17, 28, 110, 159, 141, 21, 997 232, 13, 90, 130, 251, 177, 168, 242, 201, 222, 138, 182, 233, 142, 229, 24, 47, 186, 998 56, 245, 177, 250, 253, 2, 11, 115, 29, 6, 156, 168, 117, 22, 15, 152, 183, 137, 25, 999 188, 24, 22, 120, 195, 17, 97, 16, 85, 234, 95, 53, 156, 244, 146, 53, 183, 235, 71, 1000 24, 163, 139, 70, 227, 235, 154, 229, 210, 144, 81, 231, 161, 120, 117, 182, 245, 175, 1001 25, 252, 21, 153, 130, 211, 180, 209, 164, 34, 248, 167, 8, 98, 181, 69, 52, 74, 120, 1002 227, 165, 16, 172, 42, 107, 248, 42, 225, 46, 80, 11, 117, 92, 225, 27, 86, 4, 226, 29, 1003 85, 105, 208, 193, 120, 112, 39, 226, 20, 141, 2, 29, 0, 186, 229, 13, 141, 5, 89, 173, 1004 164, 148, 130, 205, 229, 23, 44, 125, 234, 49, 240, 196, 213, 6, 31, 233, 8, 99, 80, 1005 166, 239, 2, 130, 1, 0, 106, 152, 3, 177, 77, 235, 201, 25, 36, 150, 146, 246, 50, 67, 1006 97, 96, 245, 207, 14, 200, 60, 16, 229, 114, 211, 111, 193, 226, 252, 153, 176, 159, 1007 198, 41, 133, 157, 197, 38, 112, 217, 9, 205, 13, 85, 170, 94, 89, 60, 214, 117, 182, 1008 163, 81, 138, 122, 250, 48, 98, 43, 60, 186, 203, 147, 60, 74, 110, 89, 216, 73, 4, 1009 191, 1, 158, 174, 98, 201, 184, 25, 162, 239, 244, 139, 154, 173, 108, 135, 124, 166, 1010 152, 88, 237, 68, 145, 252, 33, 40, 237, 57, 53, 155, 215, 56, 12, 202, 22, 225, 7, 89, 1011 24, 245, 195, 164, 36, 172, 98, 26, 115, 10, 71, 27, 21, 255, 62, 212, 202, 71, 147, 1012 229, 6, 181, 19, 107, 136, 223, 239, 164, 243, 254, 101, 208, 122, 226, 150, 17, 251, 1013 218, 85, 169, 81, 177, 7, 190, 171, 230, 26, 149, 183, 181, 113, 140, 252, 212, 172, 1014 154, 200, 118, 69, 156, 108, 144, 11, 201, 135, 175, 19, 201, 116, 9, 80, 20, 19, 89, 1015 151, 198, 204, 253, 10, 155, 101, 159, 81, 190, 174, 58, 220, 250, 220, 212, 42, 111, 1016 33, 204, 114, 7, 30, 153, 73, 248, 209, 114, 36, 225, 6, 47, 106, 45, 226, 254, 175, 1017 201, 138, 254, 121, 184, 19, 143, 48, 67, 179, 99, 250, 189, 237, 58, 249, 194, 167, 1018 149, 162, 219, 27, 53, 67, 135, 193, 204, 253, 176, 245, 2, 211, 58, 176, 69, 14, 186, 1019 3, 130, 1, 5, 0, 2, 130, 1, 0, 97, 40, 15, 97, 210, 23, 118, 85, 75, 191, 251, 126, 1020 171, 47, 188, 57, 40, 41, 85, 48, 206, 169, 253, 233, 146, 161, 39, 232, 242, 19, 219, 1021 191, 172, 82, 78, 132, 153, 238, 120, 228, 99, 199, 197, 181, 74, 191, 123, 189, 80, 1022 203, 219, 50, 184, 193, 49, 160, 9, 41, 167, 133, 33, 151, 52, 196, 61, 29, 102, 233, 1023 163, 249, 121, 248, 55, 144, 215, 55, 89, 142, 137, 249, 67, 112, 167, 42, 255, 67, 56, 1024 179, 106, 187, 79, 87, 54, 118, 186, 154, 48, 150, 204, 222, 102, 135, 254, 202, 9, 1025 166, 229, 176, 130, 37, 174, 139, 240, 43, 134, 75, 141, 35, 163, 203, 71, 153, 217, 1026 71, 181, 79, 35, 114, 55, 124, 20, 55, 110, 112, 223, 109, 239, 183, 210, 141, 59, 88, 1027 47, 40, 167, 154, 90, 99, 250, 146, 29, 226, 10, 70, 103, 246, 209, 36, 174, 177, 164, 1028 244, 126, 153, 106, 156, 92, 143, 140, 46, 49, 184, 125, 160, 246, 145, 178, 94, 11, 1029 153, 128, 59, 210, 11, 210, 42, 3, 138, 136, 147, 115, 96, 190, 68, 128, 25, 47, 26, 1030 231, 183, 247, 89, 28, 67, 220, 235, 88, 4, 228, 140, 148, 10, 98, 104, 101, 60, 115, 1031 39, 219, 183, 111, 62, 93, 133, 141, 219, 252, 51, 66, 224, 115, 158, 85, 46, 13, 171, 1032 31, 5, 210, 83, 68, 61, 92, 87, 241, 1, 215, 144, 233, 243, 68, 238, 197, 62, 54, 68, 1033 163, 117, 48, 115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 153, 40, 244, 111, 22, 53, 1034 83, 33, 46, 24, 242, 81, 89, 121, 91, 97, 190, 144, 138, 150, 48, 12, 6, 3, 85, 29, 19, 1035 1, 1, 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85, 1036 29, 37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29, 1037 35, 4, 24, 48, 22, 128, 20, 230, 93, 24, 66, 42, 224, 216, 63, 210, 30, 74, 173, 48, 1038 16, 195, 8, 166, 231, 232, 253, 48, 11, 6, 9, 96, 134, 72, 1, 101, 3, 4, 3, 2, 3, 64, 1039 0, 48, 61, 2, 28, 116, 130, 114, 201, 119, 192, 122, 114, 52, 255, 182, 233, 56, 153, 1040 169, 135, 12, 49, 236, 107, 72, 244, 178, 174, 32, 27, 13, 226, 2, 29, 0, 170, 35, 77, 1041 179, 10, 59, 85, 118, 124, 99, 48, 21, 125, 235, 57, 27, 60, 222, 102, 120, 20, 16, 1042 148, 80, 118, 28, 75, 176, 1043 ] 1044 .as_slice(); 1045 assert!(Hash::from_der_cert(CERT).is_some_and(|hash| match hash { 1046 Hash::Sha256(ref sha_hash) => *sha_hash == Sha256::digest(CERT), 1047 Hash::Sha384(_) | Hash::Sha512(_) | Hash::Sha224(_) => false, 1048 })); 1049 } 1050 #[test] 1051 fn parse_dsa_sha224() { 1052 /// Certificate that uses DSA with SHA-224. 1053 const CERT: &[u8] = [ 1054 48, 130, 4, 163, 48, 130, 4, 79, 160, 3, 2, 1, 2, 2, 1, 36, 48, 11, 6, 9, 96, 134, 72, 1055 1, 101, 3, 4, 3, 1, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 16, 48, 1056 14, 6, 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 3, 85, 4, 1057 3, 12, 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 49, 50, 50, 1058 50, 53, 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 49, 50, 50, 50, 53, 90, 48, 43, 49, 11, 1059 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 84, 101, 1060 115, 116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 130, 3, 66, 48, 1061 130, 2, 53, 6, 7, 42, 134, 72, 206, 56, 4, 1, 48, 130, 2, 40, 2, 130, 1, 1, 0, 172, 11, 1062 194, 123, 239, 38, 183, 160, 91, 74, 179, 251, 72, 80, 38, 223, 195, 46, 238, 2, 67, 1063 45, 138, 58, 62, 57, 85, 203, 148, 194, 164, 178, 195, 150, 29, 93, 245, 157, 225, 189, 1064 125, 209, 186, 83, 234, 14, 179, 116, 156, 216, 112, 205, 152, 26, 168, 175, 111, 106, 1065 249, 235, 49, 40, 246, 31, 152, 214, 59, 117, 64, 109, 28, 167, 222, 155, 132, 192, 1066 180, 240, 8, 80, 209, 209, 119, 53, 165, 51, 189, 18, 158, 176, 171, 45, 160, 54, 8, 1067 75, 146, 92, 245, 202, 188, 144, 36, 156, 127, 140, 220, 144, 56, 95, 38, 112, 44, 221, 1068 159, 9, 159, 189, 153, 150, 88, 84, 73, 138, 6, 73, 141, 17, 28, 110, 159, 141, 21, 1069 232, 13, 90, 130, 251, 177, 168, 242, 201, 222, 138, 182, 233, 142, 229, 24, 47, 186, 1070 56, 245, 177, 250, 253, 2, 11, 115, 29, 6, 156, 168, 117, 22, 15, 152, 183, 137, 25, 1071 188, 24, 22, 120, 195, 17, 97, 16, 85, 234, 95, 53, 156, 244, 146, 53, 183, 235, 71, 1072 24, 163, 139, 70, 227, 235, 154, 229, 210, 144, 81, 231, 161, 120, 117, 182, 245, 175, 1073 25, 252, 21, 153, 130, 211, 180, 209, 164, 34, 248, 167, 8, 98, 181, 69, 52, 74, 120, 1074 227, 165, 16, 172, 42, 107, 248, 42, 225, 46, 80, 11, 117, 92, 225, 27, 86, 4, 226, 29, 1075 85, 105, 208, 193, 120, 112, 39, 226, 20, 141, 2, 29, 0, 186, 229, 13, 141, 5, 89, 173, 1076 164, 148, 130, 205, 229, 23, 44, 125, 234, 49, 240, 196, 213, 6, 31, 233, 8, 99, 80, 1077 166, 239, 2, 130, 1, 0, 106, 152, 3, 177, 77, 235, 201, 25, 36, 150, 146, 246, 50, 67, 1078 97, 96, 245, 207, 14, 200, 60, 16, 229, 114, 211, 111, 193, 226, 252, 153, 176, 159, 1079 198, 41, 133, 157, 197, 38, 112, 217, 9, 205, 13, 85, 170, 94, 89, 60, 214, 117, 182, 1080 163, 81, 138, 122, 250, 48, 98, 43, 60, 186, 203, 147, 60, 74, 110, 89, 216, 73, 4, 1081 191, 1, 158, 174, 98, 201, 184, 25, 162, 239, 244, 139, 154, 173, 108, 135, 124, 166, 1082 152, 88, 237, 68, 145, 252, 33, 40, 237, 57, 53, 155, 215, 56, 12, 202, 22, 225, 7, 89, 1083 24, 245, 195, 164, 36, 172, 98, 26, 115, 10, 71, 27, 21, 255, 62, 212, 202, 71, 147, 1084 229, 6, 181, 19, 107, 136, 223, 239, 164, 243, 254, 101, 208, 122, 226, 150, 17, 251, 1085 218, 85, 169, 81, 177, 7, 190, 171, 230, 26, 149, 183, 181, 113, 140, 252, 212, 172, 1086 154, 200, 118, 69, 156, 108, 144, 11, 201, 135, 175, 19, 201, 116, 9, 80, 20, 19, 89, 1087 151, 198, 204, 253, 10, 155, 101, 159, 81, 190, 174, 58, 220, 250, 220, 212, 42, 111, 1088 33, 204, 114, 7, 30, 153, 73, 248, 209, 114, 36, 225, 6, 47, 106, 45, 226, 254, 175, 1089 201, 138, 254, 121, 184, 19, 143, 48, 67, 179, 99, 250, 189, 237, 58, 249, 194, 167, 1090 149, 162, 219, 27, 53, 67, 135, 193, 204, 253, 176, 245, 2, 211, 58, 176, 69, 14, 186, 1091 3, 130, 1, 5, 0, 2, 130, 1, 0, 97, 40, 15, 97, 210, 23, 118, 85, 75, 191, 251, 126, 1092 171, 47, 188, 57, 40, 41, 85, 48, 206, 169, 253, 233, 146, 161, 39, 232, 242, 19, 219, 1093 191, 172, 82, 78, 132, 153, 238, 120, 228, 99, 199, 197, 181, 74, 191, 123, 189, 80, 1094 203, 219, 50, 184, 193, 49, 160, 9, 41, 167, 133, 33, 151, 52, 196, 61, 29, 102, 233, 1095 163, 249, 121, 248, 55, 144, 215, 55, 89, 142, 137, 249, 67, 112, 167, 42, 255, 67, 56, 1096 179, 106, 187, 79, 87, 54, 118, 186, 154, 48, 150, 204, 222, 102, 135, 254, 202, 9, 1097 166, 229, 176, 130, 37, 174, 139, 240, 43, 134, 75, 141, 35, 163, 203, 71, 153, 217, 1098 71, 181, 79, 35, 114, 55, 124, 20, 55, 110, 112, 223, 109, 239, 183, 210, 141, 59, 88, 1099 47, 40, 167, 154, 90, 99, 250, 146, 29, 226, 10, 70, 103, 246, 209, 36, 174, 177, 164, 1100 244, 126, 153, 106, 156, 92, 143, 140, 46, 49, 184, 125, 160, 246, 145, 178, 94, 11, 1101 153, 128, 59, 210, 11, 210, 42, 3, 138, 136, 147, 115, 96, 190, 68, 128, 25, 47, 26, 1102 231, 183, 247, 89, 28, 67, 220, 235, 88, 4, 228, 140, 148, 10, 98, 104, 101, 60, 115, 1103 39, 219, 183, 111, 62, 93, 133, 141, 219, 252, 51, 66, 224, 115, 158, 85, 46, 13, 171, 1104 31, 5, 210, 83, 68, 61, 92, 87, 241, 1, 215, 144, 233, 243, 68, 238, 197, 62, 54, 68, 1105 163, 117, 48, 115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 153, 40, 244, 111, 22, 53, 1106 83, 33, 46, 24, 242, 81, 89, 121, 91, 97, 190, 144, 138, 150, 48, 12, 6, 3, 85, 29, 19, 1107 1, 1, 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85, 1108 29, 37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29, 1109 35, 4, 24, 48, 22, 128, 20, 230, 93, 24, 66, 42, 224, 216, 63, 210, 30, 74, 173, 48, 1110 16, 195, 8, 166, 231, 232, 253, 48, 11, 6, 9, 96, 134, 72, 1, 101, 3, 4, 3, 1, 3, 65, 1111 0, 48, 62, 2, 29, 0, 178, 65, 35, 200, 113, 88, 88, 146, 71, 230, 14, 148, 101, 161, 1112 118, 55, 125, 175, 226, 137, 63, 147, 215, 75, 207, 115, 150, 22, 2, 29, 0, 233, 44, 1113 225, 196, 27, 225, 84, 166, 253, 231, 247, 162, 41, 134, 178, 45, 218, 17, 24, 35, 120, 1114 100, 231, 84, 218, 88, 80, 255, 1115 ] 1116 .as_slice(); 1117 assert!(Hash::from_der_cert(CERT).is_some_and(|hash| match hash { 1118 Hash::Sha224(ref sha_hash) => *sha_hash == Sha224::digest(CERT), 1119 Hash::Sha256(_) | Hash::Sha384(_) | Hash::Sha512(_) => false, 1120 })); 1121 } 1122 #[test] 1123 fn parse_dsa_sha1() { 1124 /// Certificate that uses DSA with SHA-1. 1125 const CERT: &[u8] = [ 1126 48, 130, 4, 157, 48, 130, 4, 77, 160, 3, 2, 1, 2, 2, 1, 35, 48, 9, 6, 7, 42, 134, 72, 1127 206, 56, 4, 3, 48, 46, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 16, 48, 14, 6, 1128 3, 85, 4, 10, 12, 7, 84, 101, 115, 116, 32, 67, 65, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 1129 4, 82, 111, 111, 116, 48, 30, 23, 13, 50, 53, 48, 50, 49, 52, 48, 49, 49, 57, 48, 55, 1130 90, 23, 13, 50, 53, 48, 51, 49, 54, 48, 49, 49, 57, 48, 55, 90, 48, 43, 49, 11, 48, 9, 1131 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 13, 48, 11, 6, 3, 85, 4, 10, 12, 4, 84, 101, 115, 1132 116, 49, 13, 48, 11, 6, 3, 85, 4, 3, 12, 4, 84, 101, 115, 116, 48, 130, 3, 66, 48, 130, 1133 2, 53, 6, 7, 42, 134, 72, 206, 56, 4, 1, 48, 130, 2, 40, 2, 130, 1, 1, 0, 172, 11, 194, 1134 123, 239, 38, 183, 160, 91, 74, 179, 251, 72, 80, 38, 223, 195, 46, 238, 2, 67, 45, 1135 138, 58, 62, 57, 85, 203, 148, 194, 164, 178, 195, 150, 29, 93, 245, 157, 225, 189, 1136 125, 209, 186, 83, 234, 14, 179, 116, 156, 216, 112, 205, 152, 26, 168, 175, 111, 106, 1137 249, 235, 49, 40, 246, 31, 152, 214, 59, 117, 64, 109, 28, 167, 222, 155, 132, 192, 1138 180, 240, 8, 80, 209, 209, 119, 53, 165, 51, 189, 18, 158, 176, 171, 45, 160, 54, 8, 1139 75, 146, 92, 245, 202, 188, 144, 36, 156, 127, 140, 220, 144, 56, 95, 38, 112, 44, 221, 1140 159, 9, 159, 189, 153, 150, 88, 84, 73, 138, 6, 73, 141, 17, 28, 110, 159, 141, 21, 1141 232, 13, 90, 130, 251, 177, 168, 242, 201, 222, 138, 182, 233, 142, 229, 24, 47, 186, 1142 56, 245, 177, 250, 253, 2, 11, 115, 29, 6, 156, 168, 117, 22, 15, 152, 183, 137, 25, 1143 188, 24, 22, 120, 195, 17, 97, 16, 85, 234, 95, 53, 156, 244, 146, 53, 183, 235, 71, 1144 24, 163, 139, 70, 227, 235, 154, 229, 210, 144, 81, 231, 161, 120, 117, 182, 245, 175, 1145 25, 252, 21, 153, 130, 211, 180, 209, 164, 34, 248, 167, 8, 98, 181, 69, 52, 74, 120, 1146 227, 165, 16, 172, 42, 107, 248, 42, 225, 46, 80, 11, 117, 92, 225, 27, 86, 4, 226, 29, 1147 85, 105, 208, 193, 120, 112, 39, 226, 20, 141, 2, 29, 0, 186, 229, 13, 141, 5, 89, 173, 1148 164, 148, 130, 205, 229, 23, 44, 125, 234, 49, 240, 196, 213, 6, 31, 233, 8, 99, 80, 1149 166, 239, 2, 130, 1, 0, 106, 152, 3, 177, 77, 235, 201, 25, 36, 150, 146, 246, 50, 67, 1150 97, 96, 245, 207, 14, 200, 60, 16, 229, 114, 211, 111, 193, 226, 252, 153, 176, 159, 1151 198, 41, 133, 157, 197, 38, 112, 217, 9, 205, 13, 85, 170, 94, 89, 60, 214, 117, 182, 1152 163, 81, 138, 122, 250, 48, 98, 43, 60, 186, 203, 147, 60, 74, 110, 89, 216, 73, 4, 1153 191, 1, 158, 174, 98, 201, 184, 25, 162, 239, 244, 139, 154, 173, 108, 135, 124, 166, 1154 152, 88, 237, 68, 145, 252, 33, 40, 237, 57, 53, 155, 215, 56, 12, 202, 22, 225, 7, 89, 1155 24, 245, 195, 164, 36, 172, 98, 26, 115, 10, 71, 27, 21, 255, 62, 212, 202, 71, 147, 1156 229, 6, 181, 19, 107, 136, 223, 239, 164, 243, 254, 101, 208, 122, 226, 150, 17, 251, 1157 218, 85, 169, 81, 177, 7, 190, 171, 230, 26, 149, 183, 181, 113, 140, 252, 212, 172, 1158 154, 200, 118, 69, 156, 108, 144, 11, 201, 135, 175, 19, 201, 116, 9, 80, 20, 19, 89, 1159 151, 198, 204, 253, 10, 155, 101, 159, 81, 190, 174, 58, 220, 250, 220, 212, 42, 111, 1160 33, 204, 114, 7, 30, 153, 73, 248, 209, 114, 36, 225, 6, 47, 106, 45, 226, 254, 175, 1161 201, 138, 254, 121, 184, 19, 143, 48, 67, 179, 99, 250, 189, 237, 58, 249, 194, 167, 1162 149, 162, 219, 27, 53, 67, 135, 193, 204, 253, 176, 245, 2, 211, 58, 176, 69, 14, 186, 1163 3, 130, 1, 5, 0, 2, 130, 1, 0, 97, 40, 15, 97, 210, 23, 118, 85, 75, 191, 251, 126, 1164 171, 47, 188, 57, 40, 41, 85, 48, 206, 169, 253, 233, 146, 161, 39, 232, 242, 19, 219, 1165 191, 172, 82, 78, 132, 153, 238, 120, 228, 99, 199, 197, 181, 74, 191, 123, 189, 80, 1166 203, 219, 50, 184, 193, 49, 160, 9, 41, 167, 133, 33, 151, 52, 196, 61, 29, 102, 233, 1167 163, 249, 121, 248, 55, 144, 215, 55, 89, 142, 137, 249, 67, 112, 167, 42, 255, 67, 56, 1168 179, 106, 187, 79, 87, 54, 118, 186, 154, 48, 150, 204, 222, 102, 135, 254, 202, 9, 1169 166, 229, 176, 130, 37, 174, 139, 240, 43, 134, 75, 141, 35, 163, 203, 71, 153, 217, 1170 71, 181, 79, 35, 114, 55, 124, 20, 55, 110, 112, 223, 109, 239, 183, 210, 141, 59, 88, 1171 47, 40, 167, 154, 90, 99, 250, 146, 29, 226, 10, 70, 103, 246, 209, 36, 174, 177, 164, 1172 244, 126, 153, 106, 156, 92, 143, 140, 46, 49, 184, 125, 160, 246, 145, 178, 94, 11, 1173 153, 128, 59, 210, 11, 210, 42, 3, 138, 136, 147, 115, 96, 190, 68, 128, 25, 47, 26, 1174 231, 183, 247, 89, 28, 67, 220, 235, 88, 4, 228, 140, 148, 10, 98, 104, 101, 60, 115, 1175 39, 219, 183, 111, 62, 93, 133, 141, 219, 252, 51, 66, 224, 115, 158, 85, 46, 13, 171, 1176 31, 5, 210, 83, 68, 61, 92, 87, 241, 1, 215, 144, 233, 243, 68, 238, 197, 62, 54, 68, 1177 163, 117, 48, 115, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 153, 40, 244, 111, 22, 53, 1178 83, 33, 46, 24, 242, 81, 89, 121, 91, 97, 190, 144, 138, 150, 48, 12, 6, 3, 85, 29, 19, 1179 1, 1, 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 7, 128, 48, 22, 6, 3, 85, 1180 29, 37, 1, 1, 255, 4, 12, 48, 10, 6, 8, 43, 6, 1, 5, 5, 7, 3, 1, 48, 31, 6, 3, 85, 29, 1181 35, 4, 24, 48, 22, 128, 20, 230, 93, 24, 66, 42, 224, 216, 63, 210, 30, 74, 173, 48, 1182 16, 195, 8, 166, 231, 232, 253, 48, 9, 6, 7, 42, 134, 72, 206, 56, 4, 3, 3, 63, 0, 48, 1183 60, 2, 28, 50, 39, 36, 45, 25, 91, 93, 174, 107, 192, 215, 113, 214, 88, 122, 108, 97, 1184 82, 121, 182, 191, 182, 66, 173, 207, 255, 17, 86, 2, 28, 28, 133, 69, 48, 198, 204, 1185 39, 177, 136, 73, 222, 95, 114, 218, 219, 54, 88, 17, 114, 204, 214, 83, 20, 137, 75, 1186 203, 163, 99, 1187 ] 1188 .as_slice(); 1189 assert!(Hash::from_der_cert(CERT).is_some_and(|hash| match hash { 1190 Hash::Sha256(ref sha_hash) => *sha_hash == Sha256::digest(CERT), 1191 Hash::Sha384(_) | Hash::Sha512(_) | Hash::Sha224(_) => false, 1192 })); 1193 } 1194 #[cfg(feature = "runtime")] 1195 #[derive(Debug)] 1196 enum E { 1197 #[expect(dead_code, reason = "does not matter for tests")] 1198 Io(Error), 1199 #[expect(dead_code, reason = "does not matter for tests")] 1200 Rustls(rustls::Error), 1201 #[expect(dead_code, reason = "does not matter for tests")] 1202 Postgres(tokio_postgres::Error), 1203 NoRootCert, 1204 MultipleRootCerts, 1205 NoClientKey, 1206 MultipleClientKeys, 1207 #[expect(dead_code, reason = "does not matter for tests")] 1208 RustlsPem(PemErr), 1209 } 1210 #[cfg(feature = "runtime")] 1211 impl From<Error> for E { 1212 fn from(value: Error) -> Self { 1213 Self::Io(value) 1214 } 1215 } 1216 #[cfg(feature = "runtime")] 1217 impl From<rustls::Error> for E { 1218 fn from(value: rustls::Error) -> Self { 1219 Self::Rustls(value) 1220 } 1221 } 1222 #[cfg(feature = "runtime")] 1223 impl From<tokio_postgres::Error> for E { 1224 fn from(value: tokio_postgres::Error) -> Self { 1225 Self::Postgres(value) 1226 } 1227 } 1228 #[cfg(feature = "runtime")] 1229 impl From<PemErr> for E { 1230 fn from(value: PemErr) -> Self { 1231 Self::RustlsPem(value) 1232 } 1233 } 1234 #[cfg(feature = "runtime")] 1235 #[ignore = "requires proper setup and I/O"] 1236 #[test] 1237 fn mutual_tls() -> Result<(), E> { 1238 let root_cert_file = fs::read("test_data/ca.crt.pem")?; 1239 let mut cert_iter = CertificateDer::pem_slice_iter(root_cert_file.as_slice()); 1240 let key_file = fs::read("test_data/client.key.pem")?; 1241 let mut key_iter = PrivateKeyDer::pem_slice_iter(key_file.as_slice()); 1242 let mut conf = ClientConfig::builder_with_protocol_versions([&TLS13].as_slice()) 1243 .with_root_certificates(cert_iter.next().ok_or_else(|| E::NoRootCert).and_then( 1244 |cert_res| { 1245 cert_res.map_err(E::RustlsPem).and_then(|cert| { 1246 cert_iter.next().map_or_else( 1247 || { 1248 let mut root_store = RootCertStore::empty(); 1249 root_store.add(cert).map_err(E::Rustls).map(|()| root_store) 1250 }, 1251 |_| Err(E::MultipleRootCerts), 1252 ) 1253 }) 1254 }, 1255 )?) 1256 .with_client_auth_cert( 1257 CertificateDer::pem_slice_iter(fs::read("test_data/client.crt.pem")?.as_slice()) 1258 .try_fold(Vec::with_capacity(1), |mut certs, res| { 1259 res.map(|cert| { 1260 certs.push(cert); 1261 certs 1262 }) 1263 })?, 1264 key_iter 1265 .next() 1266 .ok_or_else(|| E::NoClientKey) 1267 .and_then(|key_res| { 1268 key_res.map_err(E::RustlsPem).and_then(|key| { 1269 key_iter 1270 .next() 1271 .map_or_else(|| Ok(key), |_| Err(E::MultipleClientKeys)) 1272 }) 1273 })?, 1274 )?; 1275 super::set_postgresql_alpn(&mut conf); 1276 let mut config = Config::new(); 1277 let connection = config 1278 .application_name("test") 1279 .channel_binding(ChannelBinding::Disable) 1280 .connect_timeout(Duration::from_secs(4)) 1281 .dbname(fs::read_to_string("test_data/dbname")?.trim_ascii_end()) 1282 .host(fs::read_to_string("test_data/host")?.trim_ascii_end()) 1283 .hostaddr(IpAddr::V6(Ipv6Addr::LOCALHOST)) 1284 .keepalives(false) 1285 .load_balance_hosts(LoadBalanceHosts::Disable) 1286 .port(5432) 1287 .ssl_mode(SslMode::Require) 1288 .target_session_attrs(TargetSessionAttrs::Any) 1289 .user(fs::read_to_string("test_data/user")?.trim_ascii_end()) 1290 .connect(MakeTlsConnector::new(Arc::new(conf).into())); 1291 Builder::new_current_thread() 1292 .enable_all() 1293 .build()? 1294 .block_on(async move { connection.await.map_err(E::Postgres).map(|_| ()) }) 1295 } 1296 #[cfg(feature = "runtime")] 1297 #[ignore = "requires proper setup and I/O"] 1298 #[test] 1299 fn password_and_channel_binding() -> Result<(), E> { 1300 let root_cert_file = fs::read("test_data/ca.crt.pem")?; 1301 let mut cert_iter = CertificateDer::pem_slice_iter(root_cert_file.as_slice()); 1302 let mut conf = ClientConfig::builder_with_protocol_versions([&TLS13].as_slice()) 1303 .with_root_certificates(cert_iter.next().ok_or_else(|| E::NoRootCert).and_then( 1304 |cert_res| { 1305 cert_res.map_err(E::RustlsPem).and_then(|cert| { 1306 cert_iter.next().map_or_else( 1307 || { 1308 let mut root_store = RootCertStore::empty(); 1309 root_store.add(cert).map_err(E::Rustls).map(|()| root_store) 1310 }, 1311 |_| Err(E::MultipleRootCerts), 1312 ) 1313 }) 1314 }, 1315 )?) 1316 .with_no_client_auth(); 1317 super::set_postgresql_alpn(&mut conf); 1318 let mut config = Config::new(); 1319 let connection = config 1320 .application_name("test") 1321 .channel_binding(ChannelBinding::Require) 1322 .connect_timeout(Duration::from_secs(4)) 1323 .dbname(fs::read_to_string("test_data/dbname")?.trim_ascii_end()) 1324 .host(fs::read_to_string("test_data/host")?.trim_ascii_end()) 1325 .hostaddr(IpAddr::V6(Ipv6Addr::LOCALHOST)) 1326 .keepalives(false) 1327 .load_balance_hosts(LoadBalanceHosts::Disable) 1328 .password(fs::read("test_data/password")?.trim_ascii_end()) 1329 .port(5432) 1330 .ssl_mode(SslMode::Require) 1331 .target_session_attrs(TargetSessionAttrs::Any) 1332 .user(fs::read_to_string("test_data/user")?.trim_ascii_end()) 1333 .connect(MakeTlsConnector::new(Arc::new(conf).into())); 1334 Builder::new_current_thread() 1335 .enable_all() 1336 .build()? 1337 .block_on(async move { connection.await.map_err(E::Postgres).map(|_| ()) }) 1338 } 1339 }