diff --git a/boring/src/ssl/mod.rs b/boring/src/ssl/mod.rs index be26aa94..57340d39 100644 --- a/boring/src/ssl/mod.rs +++ b/boring/src/ssl/mod.rs @@ -2918,6 +2918,25 @@ impl SslRef { unsafe { ffi::SSL_set_verify(self.as_ptr(), mode.bits() as c_int, None) } } + /// Sets the certificate verification depth. + /// + /// If the peer's certificate chain is longer than this value, verification will fail. + /// + /// This corresponds to [`SSL_set_verify_depth`]. + /// + /// [`SSL_set_verify_depth`]: https://docs.openssl.org/1.1.1/man3/SSL_CTX_set_verify/ + pub fn set_verify_depth(&mut self, depth: u32) { + #[cfg(feature = "rpk")] + assert!( + !self.ssl_context().is_rpk(), + "This API is not supported for RPK" + ); + + unsafe { + ffi::SSL_set_verify_depth(self.as_ptr(), depth as c_int); + } + } + /// Returns the verify mode that was set using `set_verify`. /// /// This corresponds to [`SSL_get_verify_mode`]. @@ -2975,6 +2994,27 @@ impl SslRef { } } + /// Sets a custom certificate store for verifying peer certificates. + /// + /// This corresponds to [`SSL_CTX_set0_verify_cert_store`]. + /// + /// [`SSL_set0_verify_cert_store`]: https://docs.openssl.org/1.0.2/man3/SSL_CTX_set1_verify_cert_store/ + pub fn set_verify_cert_store(&mut self, cert_store: X509Store) -> Result<(), ErrorStack> { + #[cfg(feature = "rpk")] + assert!( + !self.ssl_context().is_rpk(), + "This API is not supported for RPK" + ); + + unsafe { + let ptr = cert_store.as_ptr(); + cvt(ffi::SSL_set0_verify_cert_store(self.as_ptr(), ptr) as c_int)?; + mem::forget(cert_store); + + Ok(()) + } + } + /// Like [`SslContextBuilder::set_custom_verify_callback`]. /// /// This corresponds to [`SSL_set_custom_verify`]. @@ -3800,6 +3840,27 @@ impl SslRef { Ok(()) } + /// Sets the list of CA names sent to the client. + /// + /// The CA certificates must still be added to the trust root - they are not automatically set + /// as trusted by this method. + /// + /// This corresponds to [`SSL_set_client_CA_list`]. + /// + /// [`SSL_set_client_CA_list`]: https://docs.openssl.org/1.1.1/man3/SSL_CTX_set0_CA_list/ + pub fn set_client_ca_list(&mut self, list: Stack) { + #[cfg(feature = "rpk")] + assert!( + !self.ssl_context().is_rpk(), + "This API is not supported for RPK" + ); + + unsafe { + ffi::SSL_set_client_CA_list(self.as_ptr(), list.as_ptr()); + mem::forget(list); + } + } + /// Sets the private key. /// /// This corresponds to [`SSL_use_PrivateKey`]. diff --git a/boring/src/x509/mod.rs b/boring/src/x509/mod.rs index 30a4b2b8..1ef04454 100644 --- a/boring/src/x509/mod.rs +++ b/boring/src/x509/mod.rs @@ -474,6 +474,30 @@ impl X509Ref { } } + /// Returns this certificate's subject key id. + /// + /// This corresponds to [`X509_get0_subject_key_id`]. + /// + /// [`X509_get0_subject_key_id`]: https://docs.openssl.org/1.1.1/man3/X509_get_extension_flags/ + pub fn subject_key_id(&self) -> &Asn1StringRef { + unsafe { + let name = ffi::X509_get0_subject_key_id(self.as_ptr()); + Asn1StringRef::from_ptr(name as _) + } + } + + /// Returns this certificate's authority key id. + /// + /// This corresponds to [`X509_get0_authority_key_id`]. + /// + /// [`X509_get0_authority_key_id`]: https://docs.openssl.org/1.1.1/man3/X509_get_extension_flags/ + pub fn authority_key_id(&self) -> &Asn1StringRef { + unsafe { + let name = ffi::X509_get0_authority_key_id(self.as_ptr()); + Asn1StringRef::from_ptr(name as _) + } + } + pub fn public_key(&self) -> Result, ErrorStack> { unsafe { let pkey = cvt_p(ffi::X509_get_pubkey(self.as_ptr()))?;