From b75b8ba9f7d1ace56b123c3d3d64123cdf37051a Mon Sep 17 00:00:00 2001
From: Rodolphe Breard <rodolphe@what.tf>
Date: Tue, 6 Oct 2020 20:06:32 +0200
Subject: [PATCH] Prepare the code for an OpenSSL replacement The part of code
 that are specific to OpenSSL are now included only if the openssl feature is
 activated. The generic parts of code included in OpenSSL specific files has
 been moved out.

---
 acme_common/src/crypto.rs                     | 15 ++++++++++++
 acme_common/src/crypto/openssl_certificate.rs | 24 +++++++------------
 acme_common/src/error.rs                      |  2 ++
 acmed/src/http.rs                             | 13 ++++++----
 tacd/src/main.rs                              |  2 ++
 5 files changed, 37 insertions(+), 19 deletions(-)

diff --git a/acme_common/src/crypto.rs b/acme_common/src/crypto.rs
index 6697c32..ac9239c 100644
--- a/acme_common/src/crypto.rs
+++ b/acme_common/src/crypto.rs
@@ -4,12 +4,22 @@ use std::str::FromStr;
 
 mod jws_signature_algorithm;
 mod key_type;
+#[cfg(feature = "openssl_dyn")]
 mod openssl_certificate;
+#[cfg(feature = "openssl_dyn")]
 mod openssl_hash;
+#[cfg(feature = "openssl_dyn")]
 mod openssl_keys;
+#[cfg(feature = "openssl_dyn")]
 mod openssl_subject_attribute;
+#[cfg(feature = "openssl_dyn")]
 mod openssl_version;
 
+const APP_ORG: &str = "ACMEd";
+const APP_NAME: &str = "ACMEd";
+const X509_VERSION: i32 = 0x02;
+const CRT_SERIAL_NB_BITS: i32 = 32;
+const INVALID_EXT_MSG: &str = "invalid acmeIdentifier extension";
 pub const CRT_NB_DAYS_VALIDITY: u32 = 7;
 
 #[derive(Clone, Copy, Debug, Eq, Hash, PartialEq)]
@@ -70,8 +80,13 @@ impl fmt::Display for BaseHashFunction {
 
 pub use jws_signature_algorithm::JwsSignatureAlgorithm;
 pub use key_type::KeyType;
+#[cfg(feature = "openssl_dyn")]
 pub use openssl_certificate::{Csr, X509Certificate};
+#[cfg(feature = "openssl_dyn")]
 pub use openssl_hash::HashFunction;
+#[cfg(feature = "openssl_dyn")]
 pub use openssl_keys::{gen_keypair, KeyPair};
+#[cfg(feature = "openssl_dyn")]
 pub use openssl_subject_attribute::SubjectAttribute;
+#[cfg(feature = "openssl_dyn")]
 pub use openssl_version::{get_lib_name, get_lib_version};
diff --git a/acme_common/src/crypto/openssl_certificate.rs b/acme_common/src/crypto/openssl_certificate.rs
index 22f6d81..b5fc3fe 100644
--- a/acme_common/src/crypto/openssl_certificate.rs
+++ b/acme_common/src/crypto/openssl_certificate.rs
@@ -12,12 +12,6 @@ use std::collections::{HashMap, HashSet};
 use std::net::IpAddr;
 use std::time::{Duration, SystemTime, UNIX_EPOCH};
 
-const APP_ORG: &str = "ACMEd";
-const APP_NAME: &str = "ACMEd";
-const X509_VERSION: i32 = 0x02;
-const CRT_SERIAL_NB_BITS: i32 = 32;
-const INVALID_EXT_MSG: &str = "invalid acmeIdentifier extension";
-
 fn get_digest(digest: HashFunction, key_pair: &KeyPair) -> MessageDigest {
     #[cfg(not(any(ed25519, ed448)))]
     let digest = digest.native_digest();
@@ -162,16 +156,16 @@ fn gen_certificate(
     acme_ext: &str,
 ) -> Result<X509, Error> {
     let mut x509_name = X509NameBuilder::new()?;
-    x509_name.append_entry_by_text("O", APP_ORG)?;
-    let ca_name = format!("{} TLS-ALPN-01 Authority", APP_NAME);
+    x509_name.append_entry_by_text("O", super::APP_ORG)?;
+    let ca_name = format!("{} TLS-ALPN-01 Authority", super::APP_NAME);
     x509_name.append_entry_by_text("CN", &ca_name)?;
     let x509_name = x509_name.build();
 
     let mut builder = X509Builder::new()?;
-    builder.set_version(X509_VERSION)?;
+    builder.set_version(super::X509_VERSION)?;
     let serial_number = {
         let mut serial = BigNum::new()?;
-        serial.rand(CRT_SERIAL_NB_BITS - 1, MsbOption::MAYBE_ZERO, false)?;
+        serial.rand(super::CRT_SERIAL_NB_BITS - 1, MsbOption::MAYBE_ZERO, false)?;
         serial.to_asn1_integer()?
     };
     builder.set_serial_number(&serial_number)?;
@@ -191,16 +185,16 @@ fn gen_certificate(
     if !acme_ext.is_empty() {
         let ctx = builder.x509v3_context(None, None);
         let mut v: Vec<&str> = acme_ext.split('=').collect();
-        let value = v.pop().ok_or_else(|| Error::from(INVALID_EXT_MSG))?;
-        let acme_ext_name = v.pop().ok_or_else(|| Error::from(INVALID_EXT_MSG))?;
+        let value = v.pop().ok_or_else(|| Error::from(super::INVALID_EXT_MSG))?;
+        let acme_ext_name = v.pop().ok_or_else(|| Error::from(super::INVALID_EXT_MSG))?;
         if !v.is_empty() {
-            return Err(Error::from(INVALID_EXT_MSG));
+            return Err(Error::from(super::INVALID_EXT_MSG));
         }
         let acme_ext = X509Extension::new(None, Some(&ctx), &acme_ext_name, &value)
-            .map_err(|_| Error::from(INVALID_EXT_MSG))?;
+            .map_err(|_| Error::from(super::INVALID_EXT_MSG))?;
         builder
             .append_extension(acme_ext)
-            .map_err(|_| Error::from(INVALID_EXT_MSG))?;
+            .map_err(|_| Error::from(super::INVALID_EXT_MSG))?;
     }
 
     builder.sign(&key_pair.inner_key, *digest)?;
diff --git a/acme_common/src/error.rs b/acme_common/src/error.rs
index c0699f4..5802230 100644
--- a/acme_common/src/error.rs
+++ b/acme_common/src/error.rs
@@ -111,12 +111,14 @@ impl From<handlebars::TemplateRenderError> for Error {
     }
 }
 
+#[cfg(feature = "openssl_dyn")]
 impl From<native_tls::Error> for Error {
     fn from(error: native_tls::Error) -> Self {
         format!("{}", error).into()
     }
 }
 
+#[cfg(feature = "openssl_dyn")]
 impl From<openssl::error::ErrorStack> for Error {
     fn from(error: openssl::error::ErrorStack) -> Self {
         format!("{}", error).into()
diff --git a/acmed/src/http.rs b/acmed/src/http.rs
index 851474b..55e323c 100644
--- a/acmed/src/http.rs
+++ b/acmed/src/http.rs
@@ -1,9 +1,11 @@
 use crate::acme_proto::structs::{AcmeError, HttpApiError};
 use crate::endpoint::Endpoint;
+#[cfg(feature = "openssl_dyn")]
 use acme_common::crypto::X509Certificate;
 use acme_common::error::Error;
 use attohttpc::{charsets, header, Response, Session};
 use std::fs::File;
+#[cfg(feature = "openssl_dyn")]
 use std::io::prelude::*;
 use std::{thread, time};
 
@@ -157,10 +159,13 @@ fn get_session(root_certs: &[String]) -> Result<Session, Error> {
     session.try_header(header::ACCEPT_LANGUAGE, "en-US,en;q=0.5")?;
     session.try_header(header::USER_AGENT, &useragent)?;
     for crt_file in root_certs.iter() {
-        let mut buff = Vec::new();
-        File::open(crt_file)?.read_to_end(&mut buff)?;
-        let crt = X509Certificate::from_pem_native(&buff)?;
-        session.add_root_certificate(crt);
+        #[cfg(feature = "openssl_dyn")]
+        {
+            let mut buff = Vec::new();
+            File::open(crt_file)?.read_to_end(&mut buff)?;
+            let crt = X509Certificate::from_pem_native(&buff)?;
+            session.add_root_certificate(crt);
+        }
     }
     Ok(session)
 }
diff --git a/tacd/src/main.rs b/tacd/src/main.rs
index a0e385d..92a5b60 100644
--- a/tacd/src/main.rs
+++ b/tacd/src/main.rs
@@ -1,5 +1,7 @@
+#[cfg(feature = "openssl_dyn")]
 mod openssl_server;
 
+#[cfg(feature = "openssl_dyn")]
 use crate::openssl_server::start as server_start;
 use acme_common::crypto::{get_lib_name, get_lib_version, HashFunction, KeyType, X509Certificate};
 use acme_common::error::Error;