tls_api/
openssl.rs

1use std::fs;
2use std::process::Command;
3use std::process::Stdio;
4
5use tempfile::Builder as TempBuilder;
6
7/// Convert DER certificate to PKCS #12 using openssl command.
8pub(crate) fn der_to_pkcs12(cert: &[u8], key: &[u8]) -> anyhow::Result<(Vec<u8>, String)> {
9    let temp_dir = TempBuilder::new()
10        .prefix("tls-api-der-to-pkcs12")
11        .tempdir()
12        .unwrap();
13
14    let cert_file = temp_dir.path().join("cert.pem");
15    let pkcs12_file = temp_dir.path().join("cert.pkcs12");
16
17    let passphrase = "tls-api-123";
18
19    let pem_data = pem::encode_many(&[
20        pem::Pem::new("CERTIFICATE", cert.to_vec()),
21        // Technically it can be non-RSA PRIVATE KEY
22        pem::Pem::new("RSA PRIVATE KEY", key.to_vec()),
23    ]);
24
25    fs::write(&cert_file, pem_data)?;
26
27    let output = Command::new("openssl")
28        .arg("pkcs12")
29        .arg("-export")
30        .arg("-nodes")
31        .arg("-in")
32        .arg(&cert_file)
33        .arg("-out")
34        .arg(&pkcs12_file)
35        .arg("-password")
36        .arg(format!("pass:{}", passphrase))
37        .stdin(Stdio::null())
38        .stdout(Stdio::null())
39        .stderr(Stdio::inherit())
40        .output()?;
41
42    if !output.status.success() {
43        return Err(crate::CommonError::OpensslCommandFailedToConvert.into());
44    }
45
46    let pkcs12 = fs::read(pkcs12_file)?;
47    Ok((pkcs12, passphrase.to_owned()))
48}
49
50/// PKCS #12 certificate to DER using openssl command.
51pub(crate) fn pkcs12_to_der(pkcs12: &[u8], passphrase: &str) -> anyhow::Result<(Vec<u8>, Vec<u8>)> {
52    let temp_dir = TempBuilder::new()
53        .prefix("tls-api-der-to-pkcs12")
54        .tempdir()
55        .unwrap();
56
57    let cert_pem_file = temp_dir.path().join("cert.pem");
58    let pkcs12_file = temp_dir.path().join("cert.pkcs12");
59
60    fs::write(&pkcs12_file, pkcs12)?;
61
62    let output = Command::new("openssl")
63        .arg("pkcs12")
64        .arg("-nodes")
65        .arg("-in")
66        .arg(&pkcs12_file)
67        .arg("-out")
68        .arg(&cert_pem_file)
69        .arg("-password")
70        .arg(format!("pass:{}", passphrase))
71        .stdin(Stdio::null())
72        .stdout(Stdio::null())
73        .stderr(Stdio::inherit())
74        .output()?;
75
76    if !output.status.success() {
77        return Err(crate::CommonError::OpensslCommandFailedToConvert.into());
78    }
79
80    let cert_pem = fs::read_to_string(cert_pem_file)?;
81    let pems = pem::parse_many(cert_pem)?;
82    let mut certificates: Vec<Vec<u8>> = pems
83        .iter()
84        .flat_map(|p| match p.tag() {
85            "CERTIFICATE" => Some(p.contents().to_vec()),
86            _ => None,
87        })
88        .collect();
89    let mut keys: Vec<Vec<u8>> = pems
90        .iter()
91        .flat_map(|p| match p.tag() {
92            "PRIVATE KEY" | "RSA PRIVATE KEY" => Some(p.contents().to_vec()),
93            _ => None,
94        })
95        .collect();
96    if keys.len() != 1 || certificates.len() != 1 {
97        return Err(
98            crate::CommonError::PemFromPkcs12ContainsNotSingleCertKeyPair(
99                pems.iter().map(|p| p.tag().to_string()).collect(),
100            )
101            .into(),
102        );
103    }
104    Ok((certificates.swap_remove(0), keys.swap_remove(0)))
105}
tls_api/openssl.rs

tls_api/
openssl.rs
