use underlying libraries for pem parsing

Author: Goirad

Cargo.toml

@@ -21,7 +21,7 @@ libc = "0.2"
 tempfile = "3.0"
 
 [target.'cfg(target_os = "windows")'.dependencies]
-schannel = "0.1.16"
+schannel = "0.1.17"
 
 [target.'cfg(not(any(target_os = "windows", target_os = "macos", target_os = "ios")))'.dependencies]
 log = "0.4.5"

src/imp/openssl.rs

@@ -15,7 +15,6 @@ use std::error;
 use std::fmt;
 use std::io;
 use std::sync::{Once, ONCE_INIT};
-use pem;
 
 use {Protocol, TlsAcceptorBuilder, TlsConnectorBuilder};
 
@@ -171,11 +170,7 @@ impl Identity {
 
     pub fn from_pkcs8(buf: &[u8], key: &[u8]) -> Result<Identity, Error> {
         let pkey = PKey::private_key_from_pem(key)?;
-        let mut cert_chain = vec!();
-        for buf in pem::PemBlock::new(buf) {
-            cert_chain.push(X509::from_pem(buf)?);
-        }
-        let mut cert_chain = cert_chain.into_iter();
+        let mut cert_chain = X509::stack_from_pem(buf)?.into_iter();
         let cert = cert_chain.next();
         let chain = cert_chain.collect();
         Ok(Identity {

src/imp/schannel.rs

@@ -112,9 +112,8 @@ impl Identity {
             Ok(container) => container,
             Err(_) => options.new_keyset(true).acquire(type_)?,
         };
-        let key = crate::pem::pem_to_der(key, Some(crate::pem::PEM_PRIVATE_KEY)).expect("invalid PKCS8 key provided");
         container.import()
-            .import_pkcs8(&key)?;
+            .import_pkcs8_pem(&key)?;
 
         cert.set_key_prov_info()
             .container("schannel")

src/pem.rs

@@ -35,67 +35,6 @@ lazy_static!{
     };
 }
 
-/// Convert PEM to DER. If `guard` is specified (e.g. as PEM_CERTIFICATE), then the guardlines are
-/// verified to match the expected string. Otherwise, the guardlines are verified to generally have
-/// the correct form.
-///
-/// On failure (due to guardlines syntax or an illegal PEM character), returns None.
-pub fn pem_to_der<T: ?Sized + AsRef<[u8]>>(pem: &T, guard: Option<&PemGuard>) -> Option<Vec<u8>> {
-    let pem = match std::str::from_utf8(pem.as_ref()) {
-        Err(_) => return None,
-        Ok(p) => p,
-    };
-    let pem = match pem.find("-----") {
-        Some(i) => pem.split_at(i).1,
-        None => return None,
-    };
-    let mut lines = pem.lines();
-
-    let begin = match lines.next() {
-        Some(l) => l,
-        None => return None,
-    };
-    let end = match lines.last() {
-        Some(l) => l,
-        None => return None,
-    };
-
-    if let Some(g) = guard {
-        if begin != g.begin || end != g.end {
-            return None;
-        }
-    } else {
-        if !begin.starts_with("-----BEGIN ") || !begin.ends_with("-----") ||
-                !end.starts_with("-----END") || !end.ends_with("-----") {
-            return None;
-        }
-    }
-
-    let body_start = pem.char_indices()
-        .skip(begin.len())
-        .skip_while(|t| t.1.is_whitespace())
-        .next().unwrap().0;
-    let body_end = pem.rmatch_indices(&end).next().unwrap().0;
-    pem[body_start..body_end].from_base64().ok()
-}
-
-/// Convert DER to PEM. The guardlines use the identifying string chosen by `guard`
-/// (e.g. PEM_CERTIFICATE).
-pub fn der_to_pem<T: ?Sized + AsRef<[u8]>>(der: &T, guard: &PemGuard) -> String {
-    let mut pem = String::new();
-
-    pem.push_str(guard.begin);
-    pem.push('\n');
-    if der.as_ref().len() > 0 {
-        pem.push_str(&der.as_ref().to_base64(*BASE64_PEM));
-        pem.push('\n');
-    }
-    pem.push_str(guard.end);
-    pem.push('\n');
-
-    pem
-}
-
 /// Split data by PEM guard lines
 pub struct PemBlock<'a> {
     pem_block: &'a str,
@@ -129,52 +68,6 @@ impl<'a> Iterator for PemBlock<'a> {
     }
 }
 
-#[test]
-fn test_pem() {
-    assert!(pem_to_der("", None).is_none());
-    assert!(pem_to_der("-----BEGIN CERTIFICATE-----\n-----END JUNK-----\n", Some(PEM_CERTIFICATE)).is_none());
-    assert!(pem_to_der("-----BEGIN JUNK-----\n-----END CERTIFICATE-----\n", Some(PEM_CERTIFICATE)).is_none());
-    assert_eq!(pem_to_der("-----BEGIN JUNK-----\n-----END GARBAGE-----\n", None).unwrap(), vec![]);
-    assert_eq!(pem_to_der("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----\n", None).unwrap(), vec![]);
-    assert!(pem_to_der("-----EGIN CERTIFICATE-----\n-----END CERTIFICATE-----\n", None).is_none());
-    assert!(pem_to_der("-----BEGIN CERTIFICATE-----\n-----ND CERTIFICATE-----\n", None).is_none());
-    assert!(pem_to_der("-----BEGIN CERTIFICATE----\n-----END CERTIFICATE-----\n", None).is_none());
-    assert!(pem_to_der("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE----\n", None).is_none());
-    assert_eq!(pem_to_der("-----BEGIN JUNK-----\n\
-                          AAECAwQFBgcICQoLDA0ODw==\n\
-                          -----END GARBAGE-----\n", None).unwrap(),
-               vec![0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15]);
-    assert_eq!(pem_to_der("-----BEGIN CERTIFICATE-----\n\
-                          AAECAwQFBgcICQoLDA0ODw==\n\
-                          -----END CERTIFICATE-----\n", None).unwrap(),
-               vec![0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15]);
-}
-
-#[test]
-fn test_roundtrip_whole_line() {
-    // Test the case where the PEM is a multiple of whole lines.
-    let test_cert =
-"-----BEGIN CERTIFICATE-----
-MIIHBTCCBe2gAwIBAgIRAIFsdIAf8kR29DFR7K4znoIwDQYJKoZIhvcNAQELBQAw
------END CERTIFICATE-----
-";
-
-    assert_eq!(der_to_pem(&pem_to_der(test_cert, Some(PEM_CERTIFICATE)).unwrap(), PEM_CERTIFICATE), test_cert);
-}
-
-#[test]
-fn test_wrapping() {
-    let mut v: Vec<u8> = vec![];
-    let bytes_per_line = BASE64_PEM_WRAP * 3 / 4;
-    for i in 0..2*bytes_per_line {
-        let pem = der_to_pem(&v, PEM_CERTIFICATE);
-        // Check that we can do a round trip, and that we got the expected number of lines.
-        assert_eq!(pem_to_der(&pem, Some(PEM_CERTIFICATE)).unwrap(), v);
-        assert_eq!(pem.matches("\n").count(), 2 + (i + bytes_per_line - 1) / bytes_per_line);
-        v.push(0);
-    }
-}
-
 #[test]
 fn test_split() {
     // Split three certs, CRLF line terminators.