/rust/registry/src/index.crates.io-1949cf8c6b5b557f/openssl-0.10.62/src/x509/verify.rs

Source
use bitflags::bitflags;
use foreign_types::ForeignTypeRef;
use libc::{c_int, c_uint, c_ulong, time_t};
use std::net::IpAddr;

use crate::error::ErrorStack;
#[cfg(ossl102)]
use crate::x509::X509PurposeId;
use crate::{cvt, cvt_p};
use openssl_macros::corresponds;

bitflags! {
    /// Flags used to check an `X509` certificate.
    #[derive(Copy, Clone, Debug, Eq, Hash, Ord, PartialEq, PartialOrd)]
    #[repr(transparent)]
    pub struct X509CheckFlags: c_uint {
        const ALWAYS_CHECK_SUBJECT = ffi::X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT;
        const NO_WILDCARDS = ffi::X509_CHECK_FLAG_NO_WILDCARDS;
        const NO_PARTIAL_WILDCARDS = ffi::X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS;
        const MULTI_LABEL_WILDCARDS = ffi::X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS;
        const SINGLE_LABEL_SUBDOMAINS = ffi::X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS;
        /// Requires OpenSSL 1.1.0 or newer.
        #[cfg(any(ossl110))]
        const NEVER_CHECK_SUBJECT = ffi::X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;

        #[deprecated(since = "0.10.6", note = "renamed to NO_WILDCARDS")]
        const FLAG_NO_WILDCARDS = ffi::X509_CHECK_FLAG_NO_WILDCARDS;
    }
}

bitflags! {
    /// Flags used to verify an `X509` certificate chain.
    #[derive(Copy, Clone, Debug, Eq, Hash, Ord, PartialEq, PartialOrd)]
    #[repr(transparent)]
    pub struct X509VerifyFlags: c_ulong {
        const CB_ISSUER_CHECK = ffi::X509_V_FLAG_CB_ISSUER_CHECK;
        const USE_CHECK_TIME = ffi::X509_V_FLAG_USE_CHECK_TIME;
        const CRL_CHECK = ffi::X509_V_FLAG_CRL_CHECK;
        const CRL_CHECK_ALL = ffi::X509_V_FLAG_CRL_CHECK_ALL;
        const IGNORE_CRITICAL = ffi::X509_V_FLAG_IGNORE_CRITICAL;
        const X509_STRICT = ffi::X509_V_FLAG_X509_STRICT;
        const ALLOW_PROXY_CERTS = ffi::X509_V_FLAG_ALLOW_PROXY_CERTS;
        const POLICY_CHECK = ffi::X509_V_FLAG_POLICY_CHECK;
        const EXPLICIT_POLICY = ffi::X509_V_FLAG_EXPLICIT_POLICY;
        const INHIBIT_ANY = ffi::X509_V_FLAG_INHIBIT_ANY;
        const INHIBIT_MAP = ffi::X509_V_FLAG_INHIBIT_MAP;
        const NOTIFY_POLICY = ffi::X509_V_FLAG_NOTIFY_POLICY;
        const EXTENDED_CRL_SUPPORT = ffi::X509_V_FLAG_EXTENDED_CRL_SUPPORT;
        const USE_DELTAS = ffi::X509_V_FLAG_USE_DELTAS;
        const CHECK_SS_SIGNATURE = ffi::X509_V_FLAG_CHECK_SS_SIGNATURE;
        #[cfg(ossl102)]
        const TRUSTED_FIRST = ffi::X509_V_FLAG_TRUSTED_FIRST;
        #[cfg(ossl102)]
        const SUITEB_128_LOS_ONLY = ffi::X509_V_FLAG_SUITEB_128_LOS_ONLY;
        #[cfg(ossl102)]
        const SUITEB_192_LOS = ffi::X509_V_FLAG_SUITEB_128_LOS;
        #[cfg(ossl102)]
        const SUITEB_128_LOS = ffi::X509_V_FLAG_SUITEB_192_LOS;
        #[cfg(ossl102)]
        const PARTIAL_CHAIN = ffi::X509_V_FLAG_PARTIAL_CHAIN;
        #[cfg(ossl110)]
        const NO_ALT_CHAINS = ffi::X509_V_FLAG_NO_ALT_CHAINS;
        #[cfg(ossl110)]
        const NO_CHECK_TIME = ffi::X509_V_FLAG_NO_CHECK_TIME;
    }
}

foreign_type_and_impl_send_sync! {
    type CType = ffi::X509_VERIFY_PARAM;
    fn drop = ffi::X509_VERIFY_PARAM_free;

    /// Adjust parameters associated with certificate verification.
    pub struct X509VerifyParam;
    /// Reference to `X509VerifyParam`.
    pub struct X509VerifyParamRef;
}

impl X509VerifyParam {
    /// Create an X509VerifyParam
    #[corresponds(X509_VERIFY_PARAM_new)]
    pub fn new() -> Result<X509VerifyParam, ErrorStack> {
        unsafe {
            ffi::init();
            cvt_p(ffi::X509_VERIFY_PARAM_new()).map(X509VerifyParam)
        }
    }
}

impl X509VerifyParamRef {
    /// Set the host flags.
    #[corresponds(X509_VERIFY_PARAM_set_hostflags)]
    pub fn set_hostflags(&mut self, hostflags: X509CheckFlags) {
        unsafe {
            ffi::X509_VERIFY_PARAM_set_hostflags(self.as_ptr(), hostflags.bits());
        }
    }

    /// Set verification flags.
    #[corresponds(X509_VERIFY_PARAM_set_flags)]
    pub fn set_flags(&mut self, flags: X509VerifyFlags) -> Result<(), ErrorStack> {
        unsafe {
            cvt(ffi::X509_VERIFY_PARAM_set_flags(
                self.as_ptr(),
                flags.bits(),
            ))
            .map(|_| ())
        }
    }

    /// Clear verification flags.
    #[corresponds(X509_VERIFY_PARAM_clear_flags)]
    pub fn clear_flags(&mut self, flags: X509VerifyFlags) -> Result<(), ErrorStack> {
        unsafe {
            cvt(ffi::X509_VERIFY_PARAM_clear_flags(
                self.as_ptr(),
                flags.bits(),
            ))
            .map(|_| ())
        }
    }

    /// Gets verification flags.
    #[corresponds(X509_VERIFY_PARAM_get_flags)]
    pub fn flags(&mut self) -> X509VerifyFlags {
        let bits = unsafe { ffi::X509_VERIFY_PARAM_get_flags(self.as_ptr()) };
        X509VerifyFlags::from_bits_retain(bits)
    }

    /// Set the expected DNS hostname.
    #[corresponds(X509_VERIFY_PARAM_set1_host)]
    pub fn set_host(&mut self, host: &str) -> Result<(), ErrorStack> {
        unsafe {
            // len == 0 means "run strlen" :(
            let raw_host = if host.is_empty() { "\0" } else { host };
            cvt(ffi::X509_VERIFY_PARAM_set1_host(
                self.as_ptr(),
                raw_host.as_ptr() as *const _,
                host.len(),
            ))
            .map(|_| ())
        }
    }

    /// Set the expected email address.
    #[corresponds(X509_VERIFY_PARAM_set1_email)]
    pub fn set_email(&mut self, email: &str) -> Result<(), ErrorStack> {
        unsafe {
            // len == 0 means "run strlen" :(
            let raw_email = if email.is_empty() { "\0" } else { email };
            cvt(ffi::X509_VERIFY_PARAM_set1_email(
                self.as_ptr(),
                raw_email.as_ptr() as *const _,
                email.len(),
            ))
            .map(|_| ())
        }
    }

    /// Set the expected IPv4 or IPv6 address.
    #[corresponds(X509_VERIFY_PARAM_set1_ip)]
    pub fn set_ip(&mut self, ip: IpAddr) -> Result<(), ErrorStack> {
        unsafe {
            let mut buf = [0; 16];
            let len = match ip {
                IpAddr::V4(addr) => {
                    buf[..4].copy_from_slice(&addr.octets());
                    4
                }
                IpAddr::V6(addr) => {
                    buf.copy_from_slice(&addr.octets());
                    16
                }
            };
            cvt(ffi::X509_VERIFY_PARAM_set1_ip(
                self.as_ptr(),
                buf.as_ptr() as *const _,
                len,
            ))
            .map(|_| ())
        }
    }

    /// Set the verification time, where time is of type time_t, traditionaly defined as seconds since the epoch
    #[corresponds(X509_VERIFY_PARAM_set_time)]
    pub fn set_time(&mut self, time: time_t) {
        unsafe { ffi::X509_VERIFY_PARAM_set_time(self.as_ptr(), time) }
    }

    /// Set the verification depth
    #[corresponds(X509_VERIFY_PARAM_set_depth)]
    pub fn set_depth(&mut self, depth: c_int) {
        unsafe { ffi::X509_VERIFY_PARAM_set_depth(self.as_ptr(), depth) }
    }

    /// Sets the authentication security level to auth_level
    #[corresponds(X509_VERIFY_PARAM_set_auth_level)]
    #[cfg(ossl110)]
    pub fn set_auth_level(&mut self, lvl: c_int) {
        unsafe { ffi::X509_VERIFY_PARAM_set_auth_level(self.as_ptr(), lvl) }
    }

    /// Gets the current authentication security level
    #[corresponds(X509_VERIFY_PARAM_get_auth_level)]
    #[cfg(ossl110)]
    pub fn auth_level(&self) -> i32 {
        unsafe { ffi::X509_VERIFY_PARAM_get_auth_level(self.as_ptr()) }
    }

    /// Sets the verification purpose
    #[corresponds(X509_VERIFY_PARAM_set_purpose)]
    #[cfg(ossl102)]
    pub fn set_purpose(&mut self, purpose: X509PurposeId) -> Result<(), ErrorStack> {
        unsafe { cvt(ffi::X509_VERIFY_PARAM_set_purpose(self.as_ptr(), purpose.0)).map(|_| ()) }
    }
}

Coverage Report

Created: 2026-05-16 06:45

Line	Count	Source
1		use bitflags::bitflags;
2		use foreign_types::ForeignTypeRef;
3		use libc::{c_int, c_uint, c_ulong, time_t};
4		use std::net::IpAddr;
5
6		use crate::error::ErrorStack;
7		#[cfg(ossl102)]
8		use crate::x509::X509PurposeId;
9		use crate::{cvt, cvt_p};
10		use openssl_macros::corresponds;
11
12		bitflags! {
13		/// Flags used to check an `X509` certificate.
14		#[derive(Copy, Clone, Debug, Eq, Hash, Ord, PartialEq, PartialOrd)]
15		#[repr(transparent)]
16		pub struct X509CheckFlags: c_uint {
17		const ALWAYS_CHECK_SUBJECT = ffi::X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT;
18		const NO_WILDCARDS = ffi::X509_CHECK_FLAG_NO_WILDCARDS;
19		const NO_PARTIAL_WILDCARDS = ffi::X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS;
20		const MULTI_LABEL_WILDCARDS = ffi::X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS;
21		const SINGLE_LABEL_SUBDOMAINS = ffi::X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS;
22		/// Requires OpenSSL 1.1.0 or newer.
23		#[cfg(any(ossl110))]
24		const NEVER_CHECK_SUBJECT = ffi::X509_CHECK_FLAG_NEVER_CHECK_SUBJECT;
25
26		#[deprecated(since = "0.10.6", note = "renamed to NO_WILDCARDS")]
27		const FLAG_NO_WILDCARDS = ffi::X509_CHECK_FLAG_NO_WILDCARDS;
28		}
29		}
30
31		bitflags! {
32		/// Flags used to verify an `X509` certificate chain.
33		#[derive(Copy, Clone, Debug, Eq, Hash, Ord, PartialEq, PartialOrd)]
34		#[repr(transparent)]
35		pub struct X509VerifyFlags: c_ulong {
36		const CB_ISSUER_CHECK = ffi::X509_V_FLAG_CB_ISSUER_CHECK;
37		const USE_CHECK_TIME = ffi::X509_V_FLAG_USE_CHECK_TIME;
38		const CRL_CHECK = ffi::X509_V_FLAG_CRL_CHECK;
39		const CRL_CHECK_ALL = ffi::X509_V_FLAG_CRL_CHECK_ALL;
40		const IGNORE_CRITICAL = ffi::X509_V_FLAG_IGNORE_CRITICAL;
41		const X509_STRICT = ffi::X509_V_FLAG_X509_STRICT;
42		const ALLOW_PROXY_CERTS = ffi::X509_V_FLAG_ALLOW_PROXY_CERTS;
43		const POLICY_CHECK = ffi::X509_V_FLAG_POLICY_CHECK;
44		const EXPLICIT_POLICY = ffi::X509_V_FLAG_EXPLICIT_POLICY;
45		const INHIBIT_ANY = ffi::X509_V_FLAG_INHIBIT_ANY;
46		const INHIBIT_MAP = ffi::X509_V_FLAG_INHIBIT_MAP;
47		const NOTIFY_POLICY = ffi::X509_V_FLAG_NOTIFY_POLICY;
48		const EXTENDED_CRL_SUPPORT = ffi::X509_V_FLAG_EXTENDED_CRL_SUPPORT;
49		const USE_DELTAS = ffi::X509_V_FLAG_USE_DELTAS;
50		const CHECK_SS_SIGNATURE = ffi::X509_V_FLAG_CHECK_SS_SIGNATURE;
51		#[cfg(ossl102)]
52		const TRUSTED_FIRST = ffi::X509_V_FLAG_TRUSTED_FIRST;
53		#[cfg(ossl102)]
54		const SUITEB_128_LOS_ONLY = ffi::X509_V_FLAG_SUITEB_128_LOS_ONLY;
55		#[cfg(ossl102)]
56		const SUITEB_192_LOS = ffi::X509_V_FLAG_SUITEB_128_LOS;
57		#[cfg(ossl102)]
58		const SUITEB_128_LOS = ffi::X509_V_FLAG_SUITEB_192_LOS;
59		#[cfg(ossl102)]
60		const PARTIAL_CHAIN = ffi::X509_V_FLAG_PARTIAL_CHAIN;
61		#[cfg(ossl110)]
62		const NO_ALT_CHAINS = ffi::X509_V_FLAG_NO_ALT_CHAINS;
63		#[cfg(ossl110)]
64		const NO_CHECK_TIME = ffi::X509_V_FLAG_NO_CHECK_TIME;
65		}
66		}
67
68		foreign_type_and_impl_send_sync! {
69		type CType = ffi::X509_VERIFY_PARAM;
70		fn drop = ffi::X509_VERIFY_PARAM_free;
71
72		/// Adjust parameters associated with certificate verification.
73		pub struct X509VerifyParam;
74		/// Reference to `X509VerifyParam`.
75		pub struct X509VerifyParamRef;
76		}
77
78		impl X509VerifyParam {
79		/// Create an X509VerifyParam
80		#[corresponds(X509_VERIFY_PARAM_new)]
81	0	pub fn new() -> Result<X509VerifyParam, ErrorStack> {
82		unsafe {
83	0	ffi::init();
84	0	cvt_p(ffi::X509_VERIFY_PARAM_new()).map(X509VerifyParam)
85		}
86	0	}
87		}
88
89		impl X509VerifyParamRef {
90		/// Set the host flags.
91		#[corresponds(X509_VERIFY_PARAM_set_hostflags)]
92	0	pub fn set_hostflags(&mut self, hostflags: X509CheckFlags) {
93	0	unsafe {
94	0	ffi::X509_VERIFY_PARAM_set_hostflags(self.as_ptr(), hostflags.bits());
95	0	}
96	0	}
97
98		/// Set verification flags.
99		#[corresponds(X509_VERIFY_PARAM_set_flags)]
100	0	pub fn set_flags(&mut self, flags: X509VerifyFlags) -> Result<(), ErrorStack> {
101		unsafe {
102	0	cvt(ffi::X509_VERIFY_PARAM_set_flags(
103	0	self.as_ptr(),
104	0	flags.bits(),
105		))
106	0	.map(\|_\| ())
107		}
108	0	}
109
110		/// Clear verification flags.
111		#[corresponds(X509_VERIFY_PARAM_clear_flags)]
112	0	pub fn clear_flags(&mut self, flags: X509VerifyFlags) -> Result<(), ErrorStack> {
113		unsafe {
114	0	cvt(ffi::X509_VERIFY_PARAM_clear_flags(
115	0	self.as_ptr(),
116	0	flags.bits(),
117		))
118	0	.map(\|_\| ())
119		}
120	0	}
121
122		/// Gets verification flags.
123		#[corresponds(X509_VERIFY_PARAM_get_flags)]
124	0	pub fn flags(&mut self) -> X509VerifyFlags {
125	0	let bits = unsafe { ffi::X509_VERIFY_PARAM_get_flags(self.as_ptr()) };
126	0	X509VerifyFlags::from_bits_retain(bits)
127	0	}
128
129		/// Set the expected DNS hostname.
130		#[corresponds(X509_VERIFY_PARAM_set1_host)]
131	0	pub fn set_host(&mut self, host: &str) -> Result<(), ErrorStack> {
132		unsafe {
133		// len == 0 means "run strlen" :(
134	0	let raw_host = if host.is_empty() { "\0" } else { host };
135	0	cvt(ffi::X509_VERIFY_PARAM_set1_host(
136	0	self.as_ptr(),
137	0	raw_host.as_ptr() as *const _,
138	0	host.len(),
139		))
140	0	.map(\|_\| ())
141		}
142	0	}
143
144		/// Set the expected email address.
145		#[corresponds(X509_VERIFY_PARAM_set1_email)]
146	0	pub fn set_email(&mut self, email: &str) -> Result<(), ErrorStack> {
147		unsafe {
148		// len == 0 means "run strlen" :(
149	0	let raw_email = if email.is_empty() { "\0" } else { email };
150	0	cvt(ffi::X509_VERIFY_PARAM_set1_email(
151	0	self.as_ptr(),
152	0	raw_email.as_ptr() as *const _,
153	0	email.len(),
154		))
155	0	.map(\|_\| ())
156		}
157	0	}
158
159		/// Set the expected IPv4 or IPv6 address.
160		#[corresponds(X509_VERIFY_PARAM_set1_ip)]
161	0	pub fn set_ip(&mut self, ip: IpAddr) -> Result<(), ErrorStack> {
162		unsafe {
163	0	let mut buf = [0; 16];
164	0	let len = match ip {
165	0	IpAddr::V4(addr) => {
166	0	buf[..4].copy_from_slice(&addr.octets());
167	0	4
168		}
169	0	IpAddr::V6(addr) => {
170	0	buf.copy_from_slice(&addr.octets());
171	0	16
172		}
173		};
174	0	cvt(ffi::X509_VERIFY_PARAM_set1_ip(
175	0	self.as_ptr(),
176	0	buf.as_ptr() as *const _,
177	0	len,
178		))
179	0	.map(\|_\| ())
180		}
181	0	}
182
183		/// Set the verification time, where time is of type time_t, traditionaly defined as seconds since the epoch
184		#[corresponds(X509_VERIFY_PARAM_set_time)]
185	0	pub fn set_time(&mut self, time: time_t) {
186	0	unsafe { ffi::X509_VERIFY_PARAM_set_time(self.as_ptr(), time) }
187	0	}
188
189		/// Set the verification depth
190		#[corresponds(X509_VERIFY_PARAM_set_depth)]
191	0	pub fn set_depth(&mut self, depth: c_int) {
192	0	unsafe { ffi::X509_VERIFY_PARAM_set_depth(self.as_ptr(), depth) }
193	0	}
194
195		/// Sets the authentication security level to auth_level
196		#[corresponds(X509_VERIFY_PARAM_set_auth_level)]
197		#[cfg(ossl110)]
198	0	pub fn set_auth_level(&mut self, lvl: c_int) {
199	0	unsafe { ffi::X509_VERIFY_PARAM_set_auth_level(self.as_ptr(), lvl) }
200	0	}
201
202		/// Gets the current authentication security level
203		#[corresponds(X509_VERIFY_PARAM_get_auth_level)]
204		#[cfg(ossl110)]
205	0	pub fn auth_level(&self) -> i32 {
206	0	unsafe { ffi::X509_VERIFY_PARAM_get_auth_level(self.as_ptr()) }
207	0	}
208
209		/// Sets the verification purpose
210		#[corresponds(X509_VERIFY_PARAM_set_purpose)]
211		#[cfg(ossl102)]
212	0	pub fn set_purpose(&mut self, purpose: X509PurposeId) -> Result<(), ErrorStack> {
213	0	unsafe { cvt(ffi::X509_VERIFY_PARAM_set_purpose(self.as_ptr(), purpose.0)).map(\|_\| ()) }
214	0	}
215		}