1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111

use std::fs;
use std::process::Command;
use std::process::Stdio;

use tempfile::Builder as TempBuilder;

/// Convert DER certificate to PKCS #12 using openssl command.
pub(crate) fn der_to_pkcs12(cert: &[u8], key: &[u8]) -> anyhow::Result<(Vec<u8>, String)> {
    let temp_dir = TempBuilder::new()
        .prefix("tls-api-der-to-pkcs12")
        .tempdir()
        .unwrap();

    let cert_file = temp_dir.path().join("cert.pem");
    let pkcs12_file = temp_dir.path().join("cert.pkcs12");

    let passphrase = "tls-api-123";

    let pem_data = pem::encode_many(&[
        pem::Pem {
            tag: "CERTIFICATE".to_owned(),
            contents: cert.to_owned(),
        },
        pem::Pem {
            // Technically it can be non-RSA PRIVATE KEY
            tag: "RSA PRIVATE KEY".to_owned(),
            contents: key.to_owned(),
        },
    ]);

    fs::write(&cert_file, pem_data)?;

    let output = Command::new("openssl")
        .arg("pkcs12")
        .arg("-export")
        .arg("-nodes")
        .arg("-in")
        .arg(&cert_file)
        .arg("-out")
        .arg(&pkcs12_file)
        .arg("-password")
        .arg(format!("pass:{}", passphrase))
        .stdin(Stdio::null())
        .stdout(Stdio::null())
        .stderr(Stdio::inherit())
        .output()?;

    if !output.status.success() {
        return Err(crate::CommonError::OpensslCommandFailedToConvert.into());
    }

    let pkcs12 = fs::read(pkcs12_file)?;
    Ok((pkcs12, passphrase.to_owned()))
}

/// PKCS #12 certificate to DER using openssl command.
pub(crate) fn pkcs12_to_der(pkcs12: &[u8], passphrase: &str) -> anyhow::Result<(Vec<u8>, Vec<u8>)> {
    let temp_dir = TempBuilder::new()
        .prefix("tls-api-der-to-pkcs12")
        .tempdir()
        .unwrap();

    let cert_pem_file = temp_dir.path().join("cert.pem");
    let pkcs12_file = temp_dir.path().join("cert.pkcs12");

    fs::write(&pkcs12_file, pkcs12)?;

    let output = Command::new("openssl")
        .arg("pkcs12")
        .arg("-nodes")
        .arg("-in")
        .arg(&pkcs12_file)
        .arg("-out")
        .arg(&cert_pem_file)
        .arg("-password")
        .arg(format!("pass:{}", passphrase))
        .stdin(Stdio::null())
        .stdout(Stdio::null())
        .stderr(Stdio::inherit())
        .output()?;

    if !output.status.success() {
        return Err(crate::CommonError::OpensslCommandFailedToConvert.into());
    }

    let cert_pem = fs::read_to_string(cert_pem_file)?;
    let pems = pem::parse_many(cert_pem);
    let mut certificates: Vec<Vec<u8>> = pems
        .iter()
        .flat_map(|p| match p.tag.as_str() {
            "CERTIFICATE" => Some(p.contents.clone()),
            _ => None,
        })
        .collect();
    let mut keys: Vec<Vec<u8>> = pems
        .iter()
        .flat_map(|p| match p.tag.as_str() {
            "PRIVATE KEY" | "RSA PRIVATE KEY" => Some(p.contents.clone()),
            _ => None,
        })
        .collect();
    if keys.len() != 1 || certificates.len() != 1 {
        return Err(
            crate::CommonError::PemFromPkcs12ContainsNotSingleCertKeyPair(
                pems.iter().map(|p| p.tag.clone()).collect(),
            )
            .into(),
        );
    }
    Ok((certificates.swap_remove(0), keys.swap_remove(0)))
}