Provide OpenSSL integration

ctz · ctz · commit c2fb3b4cfa3d · 2026-04-09T21:25:40.000+01:00
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -56,7 +56,9 @@ jobs:
       - name: Run tests (debug)
         run: cargo test --locked
       - name: Check FFI header
-        run: git diff --exit-code -- upki-ffi/upki.h
+        run: |
+          git diff --exit-code -- upki-ffi/upki.h
+          git diff --exit-code -- upki-openssl/upki-openssl.h
 
       - name: Build (release)
         run: cargo build --locked --release
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -1,5 +1,5 @@
 [workspace]
-members = ["upki", "upki-mirror", "revoke-test", "rustls-upki", "upki-ffi"]
+members = ["upki", "upki-mirror", "revoke-test", "rustls-upki", "upki-ffi", "upki-openssl"]
 resolver = "3"
 
 [workspace.package]
@@ -21,6 +21,7 @@ hex = { version = "0.4", features = ["serde"] }
 http = "1"
 insta = { version = "1.44.3", features = ["filters"] }
 insta-cmd = "0.6.0"
+openssl-sys = "0"
 reqwest = { version = "0.13", default-features = false, features = ["charset", "default-tls", "h2", "http2", "json"] }
 rand = "0.10"
 regex = "1.12"
diff --git a/upki-openssl/Cargo.toml b/upki-openssl/Cargo.toml
@@ -0,0 +1,22 @@
+[package]
+name = "upki-openssl"
+version = "0.1.0"
+license.workspace = true
+rust-version.workspace = true
+edition.workspace = true
+repository.workspace = true
+
+[lib]
+name = "upkiopenssl"
+crate-type = ["cdylib"]
+
+[dependencies]
+openssl-sys = { workspace = true }
+rustls-pki-types.workspace = true
+upki = { path = "../upki", version = "0.2.0" }
+
+[build-dependencies]
+cbindgen.workspace = true
+
+[lints]
+workspace = true
diff --git a/upki-openssl/build.rs b/upki-openssl/build.rs
@@ -0,0 +1,16 @@
+use std::env;
+use std::path::PathBuf;
+
+use cbindgen::Language;
+
+fn main() {
+    let crate_dir = PathBuf::from(env::var("CARGO_MANIFEST_DIR").unwrap());
+    cbindgen::Builder::new()
+        .with_crate(&crate_dir)
+        .with_language(Language::C)
+        .with_sys_include("openssl/x509_vfy.h")
+        .with_include_guard("UPKI_OPENSSL_H")
+        .generate()
+        .expect("unable to generate bindings")
+        .write_to_file(crate_dir.join("upki-openssl.h"));
+}
diff --git a/upki-openssl/src/lib.rs b/upki-openssl/src/lib.rs
@@ -0,0 +1,150 @@
+#![warn(clippy::undocumented_unsafe_blocks)]
+
+use core::ptr;
+use std::os::raw::c_int;
+use std::slice;
+
+use openssl_sys::{
+    OPENSSL_free, OPENSSL_sk_num, OPENSSL_sk_value, X509, X509_STORE_CTX,
+    X509_STORE_CTX_get0_chain, X509_STORE_CTX_set_error, X509_V_ERR_APPLICATION_VERIFICATION,
+    X509_V_ERR_CERT_REVOKED, i2d_X509, stack_st_X509,
+};
+use rustls_pki_types::CertificateDer;
+use upki::Error;
+use upki::revocation::{Manifest, RevocationCheckInput, RevocationStatus};
+
+/// This is a function matching OpenSSL's `SSL_verify_cb` type which does
+/// revocation checking using upki.
+///
+/// The configuration file and data location is found automatically.
+///
+/// # Safety
+/// This function is called by OpenSSL typically, and its correct operation
+/// hinges almost entirely on being called properly.  For example, that
+/// `x509_ctx` is a valid pointer, or NULL.
+///
+/// On unexpected/unrecoverable errors, this function returns 0.
+#[unsafe(no_mangle)]
+pub unsafe extern "C" fn upki_openssl_verify_callback(
+    mut preverify_ok: c_int,
+    x509_ctx: *mut X509_STORE_CTX,
+) -> c_int {
+    // Revocation checking never improves the situation if the verification has failed.
+    if preverify_ok == 0 {
+        return preverify_ok;
+    }
+
+    // SAFETY: via essential and established principles of the C type system, we rely on
+    // OpenSSL to call this function with a `x509_ctx` that points to a valid value, or
+    // exceptionally is NULL.
+    let Some(mut x509_ctx) = (unsafe { BorrowedX509StoreCtx::from_ptr(x509_ctx) }) else {
+        return 0;
+    };
+
+    let Some(chain) = x509_ctx.chain() else {
+        return 0;
+    };
+
+    let Some(certs) = chain.copy_certs() else {
+        return 0;
+    };
+
+    match revocation_check(&certs) {
+        Ok(RevocationStatus::CertainlyRevoked) => {
+            x509_ctx.set_error(X509_V_ERR_CERT_REVOKED);
+            preverify_ok = 0;
+        }
+        Ok(RevocationStatus::NotCoveredByRevocationData | RevocationStatus::NotRevoked) => {}
+        Err(_e) => {
+            x509_ctx.set_error(X509_V_ERR_APPLICATION_VERIFICATION);
+            preverify_ok = 0;
+        }
+    }
+
+    preverify_ok
+}
+
+fn revocation_check(certs: &[CertificateDer<'_>]) -> Result<RevocationStatus, Error> {
+    let path = upki::ConfigPath::new(None)?;
+    let config = upki::Config::from_file_or_default(&path)?;
+    let manifest = Manifest::from_config(&config)?;
+    let input = RevocationCheckInput::from_certificates(certs)?;
+    match manifest.check(&input, &config) {
+        Ok(st) => Ok(st),
+        Err(e) => Err(Error::Revocation(e)),
+    }
+}
+
+struct BorrowedX509StoreCtx<'a>(&'a mut X509_STORE_CTX);
+
+impl<'a> BorrowedX509StoreCtx<'a> {
+    unsafe fn from_ptr(ptr: *mut X509_STORE_CTX) -> Option<Self> {
+        // SAFETY: we pass up the requirements of `ptr::as_mut()` to our caller
+        unsafe { ptr.as_mut() }.map(Self)
+    }
+
+    fn chain(&self) -> Option<BorrowedX509Stack<'a>> {
+        // SAFETY: X509_STORE_CTX_get0_chain has no published documentation saying when it is
+        // safe to call.  This type guarantees that the pointer is of the correct type, alignment, etc,
+        // and is non-NULL.
+        let chain = unsafe { X509_STORE_CTX_get0_chain(ptr::from_ref(self.0)) };
+
+        // SAFETY: we require that openssl correctly returns a valid pointer, or NULL.
+        unsafe { chain.as_ref() }.map(BorrowedX509Stack)
+    }
+
+    fn set_error(&mut self, err: i32) {
+        // SAFETY: the input pointer is valid, because it comes from our reference.
+        // OpenSSL does not document any other preconditions.
+        unsafe { X509_STORE_CTX_set_error(ptr::from_mut(self.0), err) };
+    }
+}
+
+struct BorrowedX509Stack<'a>(&'a stack_st_X509);
+
+impl<'a> BorrowedX509Stack<'a> {
+    fn copy_certs(&self) -> Option<Vec<CertificateDer<'static>>> {
+        // SAFETY: the stack pointer is valid, thanks to it being from a reference.
+        let count = unsafe { OPENSSL_sk_num(ptr::from_ref(self.0).cast()) };
+        if count < 0 {
+            return None;
+        }
+
+        let mut certs = vec![];
+        for i in 0..count {
+            // SAFETY: the stack pointer is valid, thanks to it being from a reference.  `OPENSSL_sk_value` returns
+            // a valid pointer to the item or NULL.
+            let x509: *const X509 =
+                unsafe { OPENSSL_sk_value(ptr::from_ref(self.0).cast(), i).cast() };
+
+            // SAFETY: we require OpenSSL only fills the stack with valid pointers to X509 objects (or NULL)
+            let x509 = unsafe { x509.as_ref() }?;
+            certs.push(x509_to_certificate_der(x509));
+        }
+
+        Some(certs)
+    }
+}
+
+fn x509_to_certificate_der(x509: &'_ X509) -> CertificateDer<'static> {
+    // SAFETY: the x509 pointer is valid, thanks to it coming from a reference.
+    let (ptr, len) = unsafe {
+        let mut ptr = ptr::null_mut();
+        let len = i2d_X509(ptr::from_ref(x509), &mut ptr);
+        (ptr, len)
+    };
+
+    if len <= 0 {
+        return vec![].into();
+    }
+    let len = len as usize;
+
+    let mut v = Vec::with_capacity(len);
+    // SAFETY: we rely on i2d_X509 allocating `ptr` correctly and signalling an error via negative `len` if not.
+    // `ptr` must be an allocated pointer.
+    unsafe {
+        v.extend_from_slice(slice::from_raw_parts(ptr, len));
+        OPENSSL_free(ptr as *mut _);
+    }
+    v.into()
+}
diff --git a/upki-openssl/upki-openssl.h b/upki-openssl/upki-openssl.h
@@ -0,0 +1,25 @@
+#ifndef UPKI_OPENSSL_H
+#define UPKI_OPENSSL_H
+
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <openssl/x509_vfy.h>
+
+/**
+ * This is a function matching OpenSSL's `SSL_verify_cb` type which does
+ * revocation checking using upki.
+ *
+ * The configuration file and data location is found automatically.
+ *
+ * # Safety
+ * This function is called by OpenSSL typically, and its correct operation
+ * hinges almost entirely on being called properly.  For example, that
+ * `x509_ctx` is a valid pointer, or NULL.
+ *
+ * On unexpected/unrecoverable errors, this function returns 0.
+ */
+int upki_openssl_verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx);
+
+#endif  /* UPKI_OPENSSL_H */
