diff --git a/acme_common/src/crypto.rs b/acme_common/src/crypto.rs index 6697c32..ac9239c 100644 --- a/acme_common/src/crypto.rs +++ b/acme_common/src/crypto.rs @@ -4,12 +4,22 @@ use std::str::FromStr; mod jws_signature_algorithm; mod key_type; +#[cfg(feature = "openssl_dyn")] mod openssl_certificate; +#[cfg(feature = "openssl_dyn")] mod openssl_hash; +#[cfg(feature = "openssl_dyn")] mod openssl_keys; +#[cfg(feature = "openssl_dyn")] mod openssl_subject_attribute; +#[cfg(feature = "openssl_dyn")] mod openssl_version; +const APP_ORG: &str = "ACMEd"; +const APP_NAME: &str = "ACMEd"; +const X509_VERSION: i32 = 0x02; +const CRT_SERIAL_NB_BITS: i32 = 32; +const INVALID_EXT_MSG: &str = "invalid acmeIdentifier extension"; pub const CRT_NB_DAYS_VALIDITY: u32 = 7; #[derive(Clone, Copy, Debug, Eq, Hash, PartialEq)] @@ -70,8 +80,13 @@ impl fmt::Display for BaseHashFunction { pub use jws_signature_algorithm::JwsSignatureAlgorithm; pub use key_type::KeyType; +#[cfg(feature = "openssl_dyn")] pub use openssl_certificate::{Csr, X509Certificate}; +#[cfg(feature = "openssl_dyn")] pub use openssl_hash::HashFunction; +#[cfg(feature = "openssl_dyn")] pub use openssl_keys::{gen_keypair, KeyPair}; +#[cfg(feature = "openssl_dyn")] pub use openssl_subject_attribute::SubjectAttribute; +#[cfg(feature = "openssl_dyn")] pub use openssl_version::{get_lib_name, get_lib_version}; diff --git a/acme_common/src/crypto/openssl_certificate.rs b/acme_common/src/crypto/openssl_certificate.rs index 22f6d81..b5fc3fe 100644 --- a/acme_common/src/crypto/openssl_certificate.rs +++ b/acme_common/src/crypto/openssl_certificate.rs @@ -12,12 +12,6 @@ use std::collections::{HashMap, HashSet}; use std::net::IpAddr; use std::time::{Duration, SystemTime, UNIX_EPOCH}; -const APP_ORG: &str = "ACMEd"; -const APP_NAME: &str = "ACMEd"; -const X509_VERSION: i32 = 0x02; -const CRT_SERIAL_NB_BITS: i32 = 32; -const INVALID_EXT_MSG: &str = "invalid acmeIdentifier extension"; - fn get_digest(digest: HashFunction, key_pair: &KeyPair) -> MessageDigest { #[cfg(not(any(ed25519, ed448)))] let digest = digest.native_digest(); @@ -162,16 +156,16 @@ fn gen_certificate( acme_ext: &str, ) -> Result { let mut x509_name = X509NameBuilder::new()?; - x509_name.append_entry_by_text("O", APP_ORG)?; - let ca_name = format!("{} TLS-ALPN-01 Authority", APP_NAME); + x509_name.append_entry_by_text("O", super::APP_ORG)?; + let ca_name = format!("{} TLS-ALPN-01 Authority", super::APP_NAME); x509_name.append_entry_by_text("CN", &ca_name)?; let x509_name = x509_name.build(); let mut builder = X509Builder::new()?; - builder.set_version(X509_VERSION)?; + builder.set_version(super::X509_VERSION)?; let serial_number = { let mut serial = BigNum::new()?; - serial.rand(CRT_SERIAL_NB_BITS - 1, MsbOption::MAYBE_ZERO, false)?; + serial.rand(super::CRT_SERIAL_NB_BITS - 1, MsbOption::MAYBE_ZERO, false)?; serial.to_asn1_integer()? }; builder.set_serial_number(&serial_number)?; @@ -191,16 +185,16 @@ fn gen_certificate( if !acme_ext.is_empty() { let ctx = builder.x509v3_context(None, None); let mut v: Vec<&str> = acme_ext.split('=').collect(); - let value = v.pop().ok_or_else(|| Error::from(INVALID_EXT_MSG))?; - let acme_ext_name = v.pop().ok_or_else(|| Error::from(INVALID_EXT_MSG))?; + let value = v.pop().ok_or_else(|| Error::from(super::INVALID_EXT_MSG))?; + let acme_ext_name = v.pop().ok_or_else(|| Error::from(super::INVALID_EXT_MSG))?; if !v.is_empty() { - return Err(Error::from(INVALID_EXT_MSG)); + return Err(Error::from(super::INVALID_EXT_MSG)); } let acme_ext = X509Extension::new(None, Some(&ctx), &acme_ext_name, &value) - .map_err(|_| Error::from(INVALID_EXT_MSG))?; + .map_err(|_| Error::from(super::INVALID_EXT_MSG))?; builder .append_extension(acme_ext) - .map_err(|_| Error::from(INVALID_EXT_MSG))?; + .map_err(|_| Error::from(super::INVALID_EXT_MSG))?; } builder.sign(&key_pair.inner_key, *digest)?; diff --git a/acme_common/src/error.rs b/acme_common/src/error.rs index c0699f4..5802230 100644 --- a/acme_common/src/error.rs +++ b/acme_common/src/error.rs @@ -111,12 +111,14 @@ impl From for Error { } } +#[cfg(feature = "openssl_dyn")] impl From for Error { fn from(error: native_tls::Error) -> Self { format!("{}", error).into() } } +#[cfg(feature = "openssl_dyn")] impl From for Error { fn from(error: openssl::error::ErrorStack) -> Self { format!("{}", error).into() diff --git a/acmed/src/http.rs b/acmed/src/http.rs index 851474b..55e323c 100644 --- a/acmed/src/http.rs +++ b/acmed/src/http.rs @@ -1,9 +1,11 @@ use crate::acme_proto::structs::{AcmeError, HttpApiError}; use crate::endpoint::Endpoint; +#[cfg(feature = "openssl_dyn")] use acme_common::crypto::X509Certificate; use acme_common::error::Error; use attohttpc::{charsets, header, Response, Session}; use std::fs::File; +#[cfg(feature = "openssl_dyn")] use std::io::prelude::*; use std::{thread, time}; @@ -157,10 +159,13 @@ fn get_session(root_certs: &[String]) -> Result { session.try_header(header::ACCEPT_LANGUAGE, "en-US,en;q=0.5")?; session.try_header(header::USER_AGENT, &useragent)?; for crt_file in root_certs.iter() { - let mut buff = Vec::new(); - File::open(crt_file)?.read_to_end(&mut buff)?; - let crt = X509Certificate::from_pem_native(&buff)?; - session.add_root_certificate(crt); + #[cfg(feature = "openssl_dyn")] + { + let mut buff = Vec::new(); + File::open(crt_file)?.read_to_end(&mut buff)?; + let crt = X509Certificate::from_pem_native(&buff)?; + session.add_root_certificate(crt); + } } Ok(session) } diff --git a/tacd/src/main.rs b/tacd/src/main.rs index a0e385d..92a5b60 100644 --- a/tacd/src/main.rs +++ b/tacd/src/main.rs @@ -1,5 +1,7 @@ +#[cfg(feature = "openssl_dyn")] mod openssl_server; +#[cfg(feature = "openssl_dyn")] use crate::openssl_server::start as server_start; use acme_common::crypto::{get_lib_name, get_lib_version, HashFunction, KeyType, X509Certificate}; use acme_common::error::Error;