We are getting error while reading pem file using X509::stack_from_pem. What's happening is an error is left on the error stack and it is pulled later when pem file is read to certificate stack.
- This is seen with 0.10.62 and not with 0.10.61.
- This error cannot be reproduced in macos and windows but can be easily reproduced on linux.
- openssl versions tested 1.1.1 on linux
- openssl versions tested 3.0.8 on linux
PEM generation code:
impl TestResources {
pub fn init() -> Self {
let rsa_key = Rsa::<Private>::generate(2048).unwrap();
let key_pair = PKey::<Private>::from_rsa(rsa_key).unwrap();
let mut x509_name = openssl::x509::X509NameBuilder::new().unwrap();
x509_name.append_entry_by_text("C", "US").unwrap();
x509_name.append_entry_by_text("ST", "CA").unwrap();
x509_name.append_entry_by_text("O", "Some organization").unwrap();
x509_name.append_entry_by_text("CN", "www.example.com").unwrap();
let x509_name = x509_name.build();
let mut x509 = openssl::x509::X509::builder().unwrap();
x509.set_subject_name(&x509_name).unwrap();
x509.set_issuer_name(&x509_name).unwrap();
x509.set_pubkey(key_pair.as_ref()).unwrap();
x509.set_not_before(asn1::Asn1Time::days_from_now(0).unwrap().as_ref()).unwrap();
x509.set_not_after(asn1::Asn1Time::days_from_now(1).unwrap().as_ref()).unwrap();
x509.set_version(2).unwrap();
x509.set_serial_number(asn1::Asn1Integer::from_bn(BigNum::from_u32(0).unwrap().as_ref()).unwrap().as_ref()).unwrap();
x509.sign(key_pair.as_ref(), MessageDigest::sha256()).unwrap();
let x509 = x509.build();
let server_certificate_filename = Path::new(&env::temp_dir()).join("server_certificate.pem").to_str().unwrap().to_string();
let server_key_filename = Path::new(&env::temp_dir()).join("server_key.pem").to_str().unwrap().to_string();
let server_key_pass_filename = Path::new(&env::temp_dir()).join("server_key_pass.pem").to_str().unwrap().to_string();
let server_certificate_content = x509.to_pem().unwrap();
let server_key_content_pkcs1 = key_pair.rsa().as_ref().unwrap().as_ref().private_key_to_pem().unwrap();
let server_key_content_pkcs8 = key_pair.private_key_to_pem_pkcs8().unwrap();
let server_key_pass_content_pkcs8 = key_pair.private_key_to_pem_pkcs8_passphrase(Cipher::aes_256_ecb(), server_key_pass_filename.as_bytes()).unwrap();
fs::write(&server_certificate_filename, &server_certificate_content).unwrap();
fs::write(&server_key_filename, &server_key_content_pkcs8).unwrap();
fs::write(&server_key_pass_filename, &server_key_pass_content_pkcs8).unwrap();
Self {
server_certificate_filename,
server_key_filename,
server_key_pass_filename,
server_certificate_content,
server_key_content_pkcs1,
server_key_content_pkcs8,
server_key_pass_content_pkcs8,
}
}
}
Example
use anyhow::Context;
use std::fs::File;
use std::io::Read;
use openssl::x509::X509;
use openssl::pkey::{PKey, Private};
use openssl::rsa::Rsa;
use openssl::symm::Cipher;
pub fn init() {
let rsa_key = Rsa::<Private>::generate(2048).unwrap();
let key_pair = PKey::<Private>::from_rsa(rsa_key).unwrap();
let _server_key_pass_content_pkcs8 = key_pair.private_key_to_pem_pkcs8_passphrase(Cipher::aes_256_ecb(), "placeholder".as_bytes()).unwrap();
}
fn main() {
println!("Example start");
println!("OpenSSL version {}", openssl::version::version());
init();
let filename = "./server_certificate.pem";
let mut buffer = vec![];
let mut file = File::open(filename).context(format!("file not found {}", filename)).unwrap();
file.read_to_end(&mut buffer).context(format!("read error on {}", filename)).unwrap();
let server_certificate_stack = X509::stack_from_pem(&buffer).context(format!("failed to load server certificates from {}", filename)).unwrap();
println!("{:?}", server_certificate_stack);
println!("Example end");
}
Error:
Example start
OpenSSL version OpenSSL 1.1.1f 31 Mar 2020
thread 'main' panicked at src/main.rs:24:139:
called `Result::unwrap()` on an `Err` value: failed to load server certificates from ./server_certificate.pem
Caused by:
error:060CC07A:digital envelope routines:EVP_CIPHER_asn1_to_param:cipher parameter error:../crypto/evp/evp_lib.c:79:, error:0909006C:PEM routines:get_name:no start line:../crypto/pem/pem_lib.c:745:
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
We are getting error while reading pem file using
X509::stack_from_pem. What's happening is an error is left on the error stack and it is pulled later when pem file is read to certificate stack.PEM generation code:
Example
Error: