1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103

use std::fs;
use std::process::Command;
use std::process::Stdio;

/// Convert DER certificate to PKCS #12 using openssl command.
pub(crate) fn der_to_pkcs12(cert: &[u8], key: &[u8]) -> anyhow::Result<(Vec<u8>, String)> {
    let temp_dir = tempdir::TempDir::new("tls-api-der-to-pkcs12").unwrap();

    let cert_file = temp_dir.path().join("cert.pem");
    let pkcs12_file = temp_dir.path().join("cert.pkcs12");

    let passphrase = "tls-api-123";

    let pem_data = pem::encode_many(&[
        pem::Pem {
            tag: "CERTIFICATE".to_owned(),
            contents: cert.to_owned(),
        },
        pem::Pem {
            // Technically it can be non-RSA PRIVATE KEY
            tag: "RSA PRIVATE KEY".to_owned(),
            contents: key.to_owned(),
        },
    ]);

    fs::write(&cert_file, pem_data)?;

    let output = Command::new("openssl")
        .arg("pkcs12")
        .arg("-export")
        .arg("-nodes")
        .arg("-in")
        .arg(&cert_file)
        .arg("-out")
        .arg(&pkcs12_file)
        .arg("-password")
        .arg(format!("pass:{}", passphrase))
        .stdin(Stdio::null())
        .stdout(Stdio::null())
        .stderr(Stdio::inherit())
        .output()?;

    if !output.status.success() {
        return Err(crate::CommonError::OpensslCommandFailedToConvert.into());
    }

    let pkcs12 = fs::read(pkcs12_file)?;
    Ok((pkcs12, passphrase.to_owned()))
}

/// PKCS #12 certificate to DER using openssl command.
pub(crate) fn pkcs12_to_der(pkcs12: &[u8], passphrase: &str) -> anyhow::Result<(Vec<u8>, Vec<u8>)> {
    let temp_dir = tempdir::TempDir::new("tls-api-der-to-pkcs12").unwrap();

    let cert_pem_file = temp_dir.path().join("cert.pem");
    let pkcs12_file = temp_dir.path().join("cert.pkcs12");

    fs::write(&pkcs12_file, pkcs12)?;

    let output = Command::new("openssl")
        .arg("pkcs12")
        .arg("-nodes")
        .arg("-in")
        .arg(&pkcs12_file)
        .arg("-out")
        .arg(&cert_pem_file)
        .arg("-password")
        .arg(format!("pass:{}", passphrase))
        .stdin(Stdio::null())
        .stdout(Stdio::null())
        .stderr(Stdio::inherit())
        .output()?;

    if !output.status.success() {
        return Err(crate::CommonError::OpensslCommandFailedToConvert.into());
    }

    let cert_pem = fs::read_to_string(cert_pem_file)?;
    let pems = pem::parse_many(cert_pem);
    let mut certificates: Vec<Vec<u8>> = pems
        .iter()
        .flat_map(|p| match p.tag.as_str() {
            "CERTIFICATE" => Some(p.contents.clone()),
            _ => None,
        })
        .collect();
    let mut keys: Vec<Vec<u8>> = pems
        .iter()
        .flat_map(|p| match p.tag.as_str() {
            "PRIVATE KEY" | "RSA PRIVATE KEY" => Some(p.contents.clone()),
            _ => None,
        })
        .collect();
    if keys.len() != 1 || certificates.len() != 1 {
        return Err(
            crate::CommonError::PemFromPkcs12ContainsNotSingleCertKeyPair(
                pems.iter().map(|p| p.tag.clone()).collect(),
            )
            .into(),
        );
    }
    Ok((certificates.swap_remove(0), keys.swap_remove(0)))
}