From f03bdd111fe773f1843d6b973b3658f20850497f Mon Sep 17 00:00:00 2001 From: Joe Birr-Pixton Date: Tue, 3 Mar 2026 13:09:34 +0000 Subject: [PATCH 1/5] Update semver-compatible dependencies --- Cargo.lock | 161 +++++++++++++++++++++++++++-------------------------- 1 file changed, 83 insertions(+), 78 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 88be8fa9..4458ce5e 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -71,7 +71,7 @@ version = "1.1.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "40c48f72fd53cd289104fc64099abca73db4166ad86ea0b4341abe65af83dadc" dependencies = [ - "windows-sys 0.60.2", + "windows-sys 0.61.2", ] [[package]] @@ -82,14 +82,14 @@ checksum = "291e6a250ff86cd4a820112fb8898808a366d8f9f58ce16d1f538353ad55747d" dependencies = [ "anstyle", "once_cell_polyfill", - "windows-sys 0.60.2", + "windows-sys 0.61.2", ] [[package]] name = "anyhow" -version = "1.0.101" +version = "1.0.102" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5f0e0fee31ef5ed1ba1316088939cea399010ed7731dba877ed44aeb407a75ea" +checksum = "7f202df86484c868dbad7eaa557ef785d5c66295e41b460ef922eca0723b842c" [[package]] name = "approx" @@ -159,9 +159,9 @@ checksum = "c08606f8c3cbf4ce6ec8e28fb0014a2c086708fe954eaa885384a6165172e7e8" [[package]] name = "aws-lc-rs" -version = "1.15.4" +version = "1.16.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7b7b6141e96a8c160799cc2d5adecd5cbbe5054cb8c7c4af53da0f83bb7ad256" +checksum = "94bffc006df10ac2a68c83692d734a465f8ee6c5b384d8545a636f81d858f4bf" dependencies = [ "aws-lc-sys", "untrusted 0.7.1", @@ -170,9 +170,9 @@ dependencies = [ [[package]] name = "aws-lc-sys" -version = "0.37.1" +version = "0.38.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b092fe214090261288111db7a2b2c2118e5a7f30dc2569f1732c4069a6840549" +checksum = "4321e568ed89bb5a7d291a7f37997c2c0df89809d7b6d12062c81ddb54aa782e" dependencies = [ "cc", "cmake", @@ -218,9 +218,9 @@ dependencies = [ [[package]] name = "bumpalo" -version = "3.19.1" +version = "3.20.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5dd9dc738b7a8311c7ade152424974d8115f2cdad61e8dab8dac9f2362298510" +checksum = "5d20789868f4b01b2f2caec9f5c4e0213b41e3e5702a50157d699ae31ced2fcb" [[package]] name = "bytes" @@ -296,9 +296,9 @@ dependencies = [ [[package]] name = "chrono" -version = "0.4.43" +version = "0.4.44" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fac4744fb15ae8337dc853fee7fb3f4e48c0fbaa23d0afe49c447b4fab126118" +checksum = "c673075a2e0e5f4a1dde27ce9dee1ea4558c7ffe648f576438a20ca1d2acc4b0" dependencies = [ "iana-time-zone", "num-traits", @@ -668,9 +668,9 @@ dependencies = [ [[package]] name = "deranged" -version = "0.5.6" +version = "0.5.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cc3dc5ad92c2e2d1c193bbbbdf2ea477cb81331de4f3103f267ca18368b988c4" +checksum = "7cd812cc2bc1d69d4764bd80df88b4317eaef9e773c75226407d9bc0876b211c" dependencies = [ "powerfmt", ] @@ -703,7 +703,7 @@ dependencies = [ "libc", "option-ext", "redox_users", - "windows-sys 0.59.0", + "windows-sys 0.61.2", ] [[package]] @@ -757,7 +757,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "39cab71617ae0d63f51a36d69f866391735b51691dbda63cf6f96d042b63efeb" dependencies = [ "libc", - "windows-sys 0.52.0", + "windows-sys 0.61.2", ] [[package]] @@ -880,20 +880,20 @@ dependencies = [ "cfg-if", "js-sys", "libc", - "r-efi", + "r-efi 5.3.0", "wasip2", "wasm-bindgen", ] [[package]] name = "getrandom" -version = "0.4.1" +version = "0.4.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "139ef39800118c7683f2fd3c98c1b23c09ae076556b435f8e9064ae108aaeeec" +checksum = "0de51e6874e94e7bf76d726fc5d13ba782deca734ff60d5bb2fb2607c7406555" dependencies = [ "cfg-if", "libc", - "r-efi", + "r-efi 6.0.0", "rand_core 0.10.0", "wasip2", "wasip3", @@ -1254,9 +1254,9 @@ dependencies = [ [[package]] name = "ipnet" -version = "2.11.0" +version = "2.12.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "469fb0b9cefa57e3ef31275ee7cacb78f2fdca44e4765491884a2b119d4eb130" +checksum = "d98f6fed1fde3f8c21bc40a1abb88dd75e67924f9cffc3ef95607bad8017f8e2" [[package]] name = "iri-string" @@ -1276,7 +1276,7 @@ checksum = "3640c1c38b8e4e43584d8df18be5fc6b0aa314ce6ebf51b53313d4306cca8e46" dependencies = [ "hermit-abi", "libc", - "windows-sys 0.52.0", + "windows-sys 0.61.2", ] [[package]] @@ -1343,9 +1343,9 @@ dependencies = [ [[package]] name = "js-sys" -version = "0.3.85" +version = "0.3.91" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8c942ebf8e95485ca0d52d97da7c5a2c387d0e7f0ba4c35e93bfcaee045955b3" +checksum = "b49715b7073f385ba4bc528e5747d02e66cb39c6146efb66b781f131f0fb399c" dependencies = [ "once_cell", "wasm-bindgen", @@ -1371,19 +1371,18 @@ checksum = "6800badb6cb2082ffd7b6a67e6125bb39f18782f793520caee8cb8846be06112" [[package]] name = "libredox" -version = "0.1.12" +version = "0.1.14" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3d0b95e02c851351f877147b7deea7b1afb1df71b63aa5f8270716e0c5720616" +checksum = "1744e39d1d6a9948f4f388969627434e31128196de472883b39f148769bfe30a" dependencies = [ - "bitflags", "libc", ] [[package]] name = "linux-raw-sys" -version = "0.11.0" +version = "0.12.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "df1d3c3b53da64cf5760482273a98e575c651a67eec7f77df96b5b642de8f039" +checksum = "32a66949e030da00e8c7d4434b251670a91556f4144941d37452769c25d58a53" [[package]] name = "litemap" @@ -1460,7 +1459,7 @@ version = "0.50.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7957b9740744892f114936ab4a57b3f487491bbeafaf8083688b16841a4240e5" dependencies = [ - "windows-sys 0.59.0", + "windows-sys 0.61.2", ] [[package]] @@ -1554,9 +1553,9 @@ checksum = "9b4f627cb1b25917193a259e49bdad08f671f8d9708acfd5fe0a8c1455d87220" [[package]] name = "pin-project-lite" -version = "0.2.16" +version = "0.2.17" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3b3cff922bd51709b605d9ead9aa71031d81447142d828eb4a6eba76fe619f9b" +checksum = "a89322df9ebe1c1578d689c92318e070967d1042b512afbe49518723f4e6d5cd" [[package]] name = "pin-utils" @@ -1706,6 +1705,12 @@ version = "5.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "69cdb34c158ceb288df11e18b4bd39de994f6657d83847bdffdbd7f346754b0f" +[[package]] +name = "r-efi" +version = "6.0.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f8dcc9c7d52a811697d2151c701e0d08956f92b0e24136cf4cf27b57a6a0d9bf" + [[package]] name = "rand" version = "0.9.2" @@ -1723,7 +1728,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "bc266eb313df6c5c09c1c7b1fbe2510961e5bcd3add930c1e31f7ed9da0feff8" dependencies = [ "chacha20", - "getrandom 0.4.1", + "getrandom 0.4.2", "rand_core 0.10.0", ] @@ -1808,9 +1813,9 @@ dependencies = [ [[package]] name = "regex-syntax" -version = "0.8.9" +version = "0.8.10" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a96887878f22d7bad8a3b6dc5b7440e0ada9a245242924394987b21cf2210a4c" +checksum = "dc897dd8d9e8bd1ed8cdad82b5966c3e0ecae09fb1907d58efaa013543185d0a" [[package]] name = "reqwest" @@ -1907,22 +1912,22 @@ dependencies = [ [[package]] name = "rustix" -version = "1.1.3" +version = "1.1.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "146c9e247ccc180c1f61615433868c99f3de3ae256a30a43b49f67c2d9171f34" +checksum = "b6fe4565b9518b83ef4f91bb47ce29620ca828bd32cb7e408f0062e9930ba190" dependencies = [ "bitflags", "errno", "libc", "linux-raw-sys", - "windows-sys 0.52.0", + "windows-sys 0.61.2", ] [[package]] name = "rustls" -version = "0.23.36" +version = "0.23.37" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c665f33d38cea657d9614f766881e4d510e0eda4239891eea56b4cadcf01801b" +checksum = "758025cb5fccfd3bc2fd74708fd4682be41d99e5dff73c377c0646c6012c73a4" dependencies = [ "aws-lc-rs", "log", @@ -1974,7 +1979,7 @@ dependencies = [ "security-framework", "security-framework-sys", "webpki-root-certs", - "windows-sys 0.52.0", + "windows-sys 0.61.2", ] [[package]] @@ -2047,9 +2052,9 @@ dependencies = [ [[package]] name = "security-framework" -version = "3.6.0" +version = "3.7.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d17b898a6d6948c3a8ee4372c17cb384f90d2e6e912ef00895b14fd7ab54ec38" +checksum = "b7f4bc775c73d9a02cde8bf7b2ec4c9d12743edf609006c7facc23998404cd1d" dependencies = [ "bitflags", "core-foundation", @@ -2060,9 +2065,9 @@ dependencies = [ [[package]] name = "security-framework-sys" -version = "2.16.0" +version = "2.17.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "321c8673b092a9a42605034a9879d73cb79101ed5fd117bc9a597b89b4e9e61a" +checksum = "6ce2691df843ecc5d231c0b14ece2acc3efb62c0a398c7e1d875f3983ce020e3" dependencies = [ "core-foundation-sys", "libc", @@ -2210,9 +2215,9 @@ checksum = "13c2bddecc57b384dee18652358fb23172facb8a2c51ccc10d74c157bdea3292" [[package]] name = "syn" -version = "2.0.116" +version = "2.0.117" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3df424c70518695237746f84cede799c9c58fcb37450d7b23716568cc8bc69cb" +checksum = "e665b8803e7b1d2a727f4023456bbbbe74da67099c585258af0ad9c5013b9b99" dependencies = [ "proc-macro2", "quote", @@ -2241,15 +2246,15 @@ dependencies = [ [[package]] name = "tempfile" -version = "3.25.0" +version = "3.26.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0136791f7c95b1f6dd99f9cc786b91bb81c3800b639b3478e561ddb7be95e5f1" +checksum = "82a72c767771b47409d2345987fda8628641887d5466101319899796367354a0" dependencies = [ "fastrand", - "getrandom 0.4.1", + "getrandom 0.4.2", "once_cell", "rustix", - "windows-sys 0.52.0", + "windows-sys 0.61.2", ] [[package]] @@ -2381,9 +2386,9 @@ checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20" [[package]] name = "tokio" -version = "1.49.0" +version = "1.50.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "72a2903cd7736441aac9df9d7688bd0ce48edccaadf181c3b90be801e81d3d86" +checksum = "27ad5e34374e03cfffefc301becb44e9dc3c17584f414349ebe29ed26661822d" dependencies = [ "bytes", "libc", @@ -2396,9 +2401,9 @@ dependencies = [ [[package]] name = "tokio-macros" -version = "2.6.0" +version = "2.6.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "af407857209536a95c8e56f8231ef2c2e2aff839b22e07a1ffcbc617e9db9fa5" +checksum = "5c55a2eff8b69ce66c84f85e1da1c233edc36ceb85a2058d11b0d6a3c7e7569c" dependencies = [ "proc-macro2", "quote", @@ -2445,9 +2450,9 @@ dependencies = [ [[package]] name = "toml" -version = "1.0.1+spec-1.1.0" +version = "1.0.3+spec-1.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bbe30f93627849fa362d4a602212d41bb237dc2bd0f8ba0b2ce785012e124220" +checksum = "c7614eaf19ad818347db24addfa201729cf2a9b6fdfd9eb0ab870fcacc606c0c" dependencies = [ "indexmap", "serde_core", @@ -2478,9 +2483,9 @@ dependencies = [ [[package]] name = "toml_parser" -version = "1.0.8+spec-1.1.0" +version = "1.0.9+spec-1.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0742ff5ff03ea7e67c8ae6c93cac239e0d9784833362da3f9a9c1da8dfefcbdc" +checksum = "702d4415e08923e7e1ef96cd5727c0dfed80b4d2fa25db9647fe5eb6f7c5a4c4" dependencies = [ "winnow", ] @@ -2653,7 +2658,7 @@ dependencies = [ "tempfile", "tiny_http", "tokio", - "toml 1.0.1+spec-1.1.0", + "toml 1.0.3+spec-1.1.0", "tracing", "tracing-subscriber", "xdg", @@ -2764,9 +2769,9 @@ dependencies = [ [[package]] name = "wasm-bindgen" -version = "0.2.108" +version = "0.2.114" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "64024a30ec1e37399cf85a7ffefebdb72205ca1c972291c51512360d90bd8566" +checksum = "6532f9a5c1ece3798cb1c2cfdba640b9b3ba884f5db45973a6f442510a87d38e" dependencies = [ "cfg-if", "once_cell", @@ -2777,9 +2782,9 @@ dependencies = [ [[package]] name = "wasm-bindgen-futures" -version = "0.4.58" +version = "0.4.64" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "70a6e77fd0ae8029c9ea0063f87c46fde723e7d887703d74ad2616d792e51e6f" +checksum = "e9c5522b3a28661442748e09d40924dfb9ca614b21c00d3fd135720e48b67db8" dependencies = [ "cfg-if", "futures-util", @@ -2791,9 +2796,9 @@ dependencies = [ [[package]] name = "wasm-bindgen-macro" -version = "0.2.108" +version = "0.2.114" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "008b239d9c740232e71bd39e8ef6429d27097518b6b30bdf9086833bd5b6d608" +checksum = "18a2d50fcf105fb33bb15f00e7a77b772945a2ee45dcf454961fd843e74c18e6" dependencies = [ "quote", "wasm-bindgen-macro-support", @@ -2801,9 +2806,9 @@ dependencies = [ [[package]] name = "wasm-bindgen-macro-support" -version = "0.2.108" +version = "0.2.114" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5256bae2d58f54820e6490f9839c49780dff84c65aeab9e772f15d5f0e913a55" +checksum = "03ce4caeaac547cdf713d280eda22a730824dd11e6b8c3ca9e42247b25c631e3" dependencies = [ "bumpalo", "proc-macro2", @@ -2814,9 +2819,9 @@ dependencies = [ [[package]] name = "wasm-bindgen-shared" -version = "0.2.108" +version = "0.2.114" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1f01b580c9ac74c8d8f0c0e4afb04eeef2acf145458e52c03845ee9cd23e3d12" +checksum = "75a326b8c223ee17883a4251907455a2431acc2791c98c26279376490c378c16" dependencies = [ "unicode-ident", ] @@ -2857,9 +2862,9 @@ dependencies = [ [[package]] name = "web-sys" -version = "0.3.85" +version = "0.3.91" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "312e32e551d92129218ea9a2452120f4aabc03529ef03e4d0d82fb2780608598" +checksum = "854ba17bb104abfb26ba36da9729addc7ce7f06f5c0f90f3c391f8461cca21f9" dependencies = [ "js-sys", "wasm-bindgen", @@ -2933,7 +2938,7 @@ version = "0.1.11" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c2a7b1c03c876122aa43f3020e6c3c3ee5c05081c9a00739faf7503aeba10d22" dependencies = [ - "windows-sys 0.52.0", + "windows-sys 0.61.2", ] [[package]] @@ -3392,18 +3397,18 @@ dependencies = [ [[package]] name = "zerocopy" -version = "0.8.39" +version = "0.8.40" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "db6d35d663eadb6c932438e763b262fe1a70987f9ae936e60158176d710cae4a" +checksum = "a789c6e490b576db9f7e6b6d661bcc9799f7c0ac8352f56ea20193b2681532e5" dependencies = [ "zerocopy-derive", ] [[package]] name = "zerocopy-derive" -version = "0.8.39" +version = "0.8.40" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4122cd3169e94605190e77839c9a40d40ed048d305bfdc146e7df40ab0f3e517" +checksum = "f65c489a7071a749c849713807783f70672b28094011623e200cb86dcb835953" dependencies = [ "proc-macro2", "quote", From 589ca222b780e143616533191c987b96863c03df Mon Sep 17 00:00:00 2001 From: Joe Birr-Pixton Date: Tue, 3 Mar 2026 20:06:49 +0000 Subject: [PATCH 2/5] Allow conversion from `revocation::Error` to `Error` --- upki/src/lib.rs | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/upki/src/lib.rs b/upki/src/lib.rs index a1d22979..48f3c9e4 100644 --- a/upki/src/lib.rs +++ b/upki/src/lib.rs @@ -194,6 +194,12 @@ impl fmt::Display for Error { } } +impl From for Error { + fn from(value: revocation::Error) -> Self { + Self::Revocation(value) + } +} + const PREFIX: &str = "upki"; const CONFIG_FILE: &str = "config.toml"; From 2cae7c604bf6cc88566fc1535c05badddcc60f7f Mon Sep 17 00:00:00 2001 From: Joe Birr-Pixton Date: Tue, 3 Mar 2026 19:02:05 +0000 Subject: [PATCH 3/5] Provide OpenSSL integration --- .github/workflows/build.yml | 4 +- Cargo.lock | 34 +++++++++++++++ Cargo.toml | 3 +- upki-openssl/Cargo.toml | 22 ++++++++++ upki-openssl/build.rs | 16 +++++++ upki-openssl/src/lib.rs | 83 +++++++++++++++++++++++++++++++++++++ upki-openssl/upki-openssl.h | 21 ++++++++++ 7 files changed, 181 insertions(+), 2 deletions(-) create mode 100644 upki-openssl/Cargo.toml create mode 100644 upki-openssl/build.rs create mode 100644 upki-openssl/src/lib.rs create mode 100644 upki-openssl/upki-openssl.h diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 8b47dfc7..10dd823f 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -56,7 +56,9 @@ jobs: - name: Run tests (debug) run: cargo test --locked - name: Check FFI header - run: git diff --exit-code -- upki-ffi/upki.h + run: | + git diff --exit-code -- upki-ffi/upki.h + git diff --exit-code -- upki-openssl/upki-openssl.h - name: Build (release) run: cargo build --locked --release diff --git a/Cargo.lock b/Cargo.lock index 4458ce5e..a0a2ffd1 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1529,6 +1529,18 @@ version = "0.2.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7c87def4c32ab89d880effc9e097653c8da5d6ef28e6b539d313baaacfbafcbe" +[[package]] +name = "openssl-sys" +version = "0.9.111" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "82cab2d520aa75e3c58898289429321eb788c3106963d0dc886ec7a5f4adc321" +dependencies = [ + "cc", + "libc", + "pkg-config", + "vcpkg", +] + [[package]] name = "option-ext" version = "0.2.0" @@ -1563,6 +1575,12 @@ version = "0.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8b870d8c151b6f2fb93e84a13146138f05d02ed11c7e7c54f8826aaaf7c9f184" +[[package]] +name = "pkg-config" +version = "0.3.32" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7edddbd0b52d732b21ad9a5fab5c704c14cd949e5e9a1ec5929a24fded1b904c" + [[package]] name = "plotters" version = "0.3.7" @@ -2688,6 +2706,16 @@ dependencies = [ "upki", ] +[[package]] +name = "upki-openssl" +version = "0.1.0" +dependencies = [ + "cbindgen", + "openssl-sys", + "rustls-pki-types", + "upki", +] + [[package]] name = "url" version = "2.5.8" @@ -2718,6 +2746,12 @@ version = "0.1.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ba73ea9cf16a25df0c8caa16c51acb937d5712a8429db78a3ee29d5dcacd3a65" +[[package]] +name = "vcpkg" +version = "0.2.15" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "accd4ea62f7bb7a82fe23066fb0957d48ef677f6eeb8215f372f52e48bb32426" + [[package]] name = "version_check" version = "0.9.5" diff --git a/Cargo.toml b/Cargo.toml index 4c03e85f..277f2c47 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,5 +1,5 @@ [workspace] -members = ["upki", "upki-mirror", "revoke-test", "rustls-upki", "upki-ffi"] +members = ["upki", "upki-mirror", "revoke-test", "rustls-upki", "upki-ffi", "upki-openssl"] resolver = "3" [workspace.package] @@ -21,6 +21,7 @@ hex = { version = "0.4", features = ["serde"] } http = "1" insta = { version = "1.44.3", features = ["filters"] } insta-cmd = "0.6.0" +openssl-sys = "0" reqwest = { version = "0.13", default-features = false, features = ["charset", "default-tls", "h2", "http2", "json"] } rand = "0.10" regex = "1.12" diff --git a/upki-openssl/Cargo.toml b/upki-openssl/Cargo.toml new file mode 100644 index 00000000..e7f63fd2 --- /dev/null +++ b/upki-openssl/Cargo.toml @@ -0,0 +1,22 @@ +[package] +name = "upki-openssl" +version = "0.1.0" +license.workspace = true +rust-version.workspace = true +edition.workspace = true +repository.workspace = true + +[lib] +name = "upkiopenssl" +crate-type = ["cdylib"] + +[dependencies] +openssl-sys = { workspace = true } +rustls-pki-types.workspace = true +upki = { path = "../upki", version = "0.1.0" } + +[build-dependencies] +cbindgen.workspace = true + +[lints] +workspace = true diff --git a/upki-openssl/build.rs b/upki-openssl/build.rs new file mode 100644 index 00000000..8b689d10 --- /dev/null +++ b/upki-openssl/build.rs @@ -0,0 +1,16 @@ +use std::env; +use std::path::PathBuf; + +use cbindgen::Language; + +fn main() { + let crate_dir = PathBuf::from(env::var("CARGO_MANIFEST_DIR").unwrap()); + cbindgen::Builder::new() + .with_crate(&crate_dir) + .with_language(Language::C) + .with_sys_include("openssl/x509_vfy.h") + .with_include_guard("UPKI_OPENSSL_H") + .generate() + .expect("unable to generate bindings") + .write_to_file(crate_dir.join("upki-openssl.h")); +} diff --git a/upki-openssl/src/lib.rs b/upki-openssl/src/lib.rs new file mode 100644 index 00000000..fd570d24 --- /dev/null +++ b/upki-openssl/src/lib.rs @@ -0,0 +1,83 @@ +use core::ptr; +use std::os::raw::c_int; +use std::slice; + +use openssl_sys::{ + OPENSSL_free, OPENSSL_sk_num, OPENSSL_sk_value, X509, X509_STORE_CTX, + X509_STORE_CTX_get0_chain, X509_STORE_CTX_set_error, X509_V_ERR_APPLICATION_VERIFICATION, + X509_V_ERR_CERT_REVOKED, i2d_X509, +}; +use rustls_pki_types::CertificateDer; +use upki::Error; +use upki::revocation::{Manifest, RevocationCheckInput, RevocationStatus}; + +/// This is a function matching OpenSSL's `SSL_verify_cb` type which does +/// revocation checking using upki. +/// +/// The configuration file and data location is found automatically. +/// +/// # Safety +/// Not very. +#[unsafe(no_mangle)] +pub unsafe extern "C" fn upki_openssl_verify_callback( + mut preverify_ok: c_int, + x509_ctx: *mut X509_STORE_CTX, +) -> c_int { + // Revocation checking never improves the situation if the verification has failed. + if preverify_ok == 0 { + return preverify_ok; + } + + let mut certs = vec![]; + let chain = unsafe { X509_STORE_CTX_get0_chain(x509_ctx) }; + let chain_count = unsafe { OPENSSL_sk_num(chain.cast()) }; + + for i in 0..chain_count { + let x509: *const X509 = unsafe { OPENSSL_sk_value(chain.cast(), i).cast() }; + certs.push(x509_to_certificate_der(x509)); + } + + match revocation_check(&certs) { + Ok(RevocationStatus::CertainlyRevoked) => { + unsafe { X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_CERT_REVOKED) }; + preverify_ok = 0; + } + Ok(RevocationStatus::NotCoveredByRevocationData | RevocationStatus::NotRevoked) => {} + Err(_e) => { + unsafe { X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_APPLICATION_VERIFICATION) }; + preverify_ok = 0; + } + } + + preverify_ok +} + +fn revocation_check(certs: &[CertificateDer<'_>]) -> Result { + let path = upki::ConfigPath::new(None)?; + let config = upki::Config::from_file_or_default(&path)?; + let manifest = Manifest::from_config(&config)?; + let input = RevocationCheckInput::from_certificates(certs)?; + match manifest.check(&input, &config) { + Ok(st) => Ok(st), + Err(e) => Err(Error::Revocation(e)), + } +} + +fn x509_to_certificate_der(x509: *const X509) -> CertificateDer<'static> { + let (ptr, len) = unsafe { + let mut ptr = ptr::null_mut(); + let len = i2d_X509(x509, &mut ptr); + (ptr, len) + }; + + if len <= 0 { + return vec![].into(); + } + let len = len as usize; + + let mut v = Vec::with_capacity(len); + v.extend_from_slice(unsafe { slice::from_raw_parts(ptr, len) }); + + unsafe { OPENSSL_free(ptr as *mut _) }; + v.into() +} diff --git a/upki-openssl/upki-openssl.h b/upki-openssl/upki-openssl.h new file mode 100644 index 00000000..e3ff312d --- /dev/null +++ b/upki-openssl/upki-openssl.h @@ -0,0 +1,21 @@ +#ifndef UPKI_OPENSSL_H +#define UPKI_OPENSSL_H + +#include +#include +#include +#include +#include + +/** + * This is a function matching OpenSSL's `SSL_verify_cb` type which does + * revocation checking using upki. + * + * The configuration file and data location is found automatically. + * + * # Safety + * Not very. + */ +int upki_openssl_verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx); + +#endif /* UPKI_OPENSSL_H */ From 07e98df6975a541b2313947db952509b4dd11569 Mon Sep 17 00:00:00 2001 From: Joe Birr-Pixton Date: Tue, 3 Mar 2026 20:20:01 +0000 Subject: [PATCH 4/5] upki-ffi: guard against duplication inclusion --- upki-ffi/build.rs | 1 + upki-ffi/upki.h | 5 +++++ 2 files changed, 6 insertions(+) diff --git a/upki-ffi/build.rs b/upki-ffi/build.rs index 1af92aea..cc9790a6 100644 --- a/upki-ffi/build.rs +++ b/upki-ffi/build.rs @@ -8,6 +8,7 @@ fn main() { cbindgen::Builder::new() .with_crate(&crate_dir) .with_language(Language::C) + .with_include_guard("UPKI_H") .generate() .expect("unable to generate bindings") .write_to_file(crate_dir.join("upki.h")); diff --git a/upki-ffi/upki.h b/upki-ffi/upki.h index ad7bebe0..c3973b5a 100644 --- a/upki-ffi/upki.h +++ b/upki-ffi/upki.h @@ -1,3 +1,6 @@ +#ifndef UPKI_H +#define UPKI_H + #include #include #include @@ -219,3 +222,5 @@ enum upki_result upki_config_new(struct upki_config **out); * or null (in which case this is a no-op). */ void upki_config_free(struct upki_config *config); + +#endif /* UPKI_H */ From f9c0d58469ba560fed37ca2a14ec2ecf488877b1 Mon Sep 17 00:00:00 2001 From: Joe Birr-Pixton Date: Thu, 5 Mar 2026 18:58:55 +0000 Subject: [PATCH 5/5] Add preload hack for trying out upki with openssl --- upki-openssl/Makefile | 23 +++++++++++++++++++++++ upki-openssl/preload.c | 25 +++++++++++++++++++++++++ 2 files changed, 48 insertions(+) create mode 100644 upki-openssl/Makefile create mode 100644 upki-openssl/preload.c diff --git a/upki-openssl/Makefile b/upki-openssl/Makefile new file mode 100644 index 00000000..affa7009 --- /dev/null +++ b/upki-openssl/Makefile @@ -0,0 +1,23 @@ +CC = gcc +CFLAGS = -Wall -Wextra -fPIC +LDFLAGS = -shared +LIBS = -lssl -lcrypto -ldl -lupkiopenssl -L../target/release/ + +TARGET = libupkiopenssl-preload.so +SOURCE = preload.c + +.PHONY: all clean + +all: $(TARGET) + +$(TARGET): $(SOURCE) upki-openssl.h + $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $(SOURCE) $(LIBS) + +clean: + rm -f $(TARGET) + +install: $(TARGET) + install -m 755 $(TARGET) /usr/local/lib/ + +uninstall: + rm -f /usr/local/lib/$(TARGET) diff --git a/upki-openssl/preload.c b/upki-openssl/preload.c new file mode 100644 index 00000000..1157f1dd --- /dev/null +++ b/upki-openssl/preload.c @@ -0,0 +1,25 @@ +#include "upki-openssl.h" +#include +#include + +typedef SSL *(*ssl_new_fn)(SSL_CTX *); + +SSL *SSL_new(SSL_CTX *ctx) { + void *parent = dlsym(RTLD_NEXT, "SSL_new"); + if (!parent) { + return NULL; + } + + SSL *new = ((ssl_new_fn)(parent))(ctx); + if (!new) { + return new; + } + + // TODO: save and call current too. + // SSL_verify_cb current = SSL_get_verify_callback(new); + int mode = SSL_get_verify_mode(new); + SSL_set_verify(new, mode, upki_openssl_verify_callback); + return new; +} + +// TODO: also hook later calls of SSL_set_verify, SSL_get_verify_callback