NegotiateSsl implementation for security_framework

Author: sfackler

.travis/server.crt

@@ -0,0 +1,62 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            9a:e5:7a:5f:05:5a:2f:e4
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=localhost
+        Validity
+            Not Before: Dec  5 21:50:46 2015 GMT
+            Not After : Jan  4 21:50:46 2016 GMT
+        Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=localhost
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (1024 bit)
+                Modulus (1024 bit):
+                    00:f1:9b:b6:24:64:66:bf:5e:da:77:2a:39:bd:39:
+                    93:56:28:26:f1:d7:1f:c9:60:1c:e3:82:a4:07:a2:
+                    0f:c8:d6:68:fc:30:2f:17:30:34:69:cd:d8:f1:e7:
+                    c7:84:f9:c5:90:b1:2c:42:d5:23:20:d2:1d:d7:18:
+                    15:70:0a:a3:1d:c7:2e:df:03:c0:9f:5c:cb:02:25:
+                    da:7d:2b:1a:09:78:e5:23:8a:c4:64:39:59:0d:4e:
+                    15:0b:75:7b:75:f9:8a:4c:c3:9d:f9:31:08:d5:da:
+                    00:a5:db:0c:df:09:e5:e4:14:d1:17:0f:bb:f6:cf:
+                    bd:3c:5d:14:6a:cb:c1:dc:e1
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                9E:09:C0:D1:1E:0E:07:B3:49:57:0A:49:47:F9:8A:5F:4E:FE:23:75
+            X509v3 Authority Key Identifier: 
+                keyid:9E:09:C0:D1:1E:0E:07:B3:49:57:0A:49:47:F9:8A:5F:4E:FE:23:75
+                DirName:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=localhost
+                serial:9A:E5:7A:5F:05:5A:2F:E4
+
+            X509v3 Basic Constraints: 
+                CA:TRUE
+    Signature Algorithm: sha1WithRSAEncryption
+        4c:3b:c6:42:96:75:96:a0:9b:f5:d9:b1:9b:1b:4f:bd:d2:8d:
+        f1:53:ed:87:80:f5:7b:5d:36:6e:38:c8:ae:1a:58:e5:39:9e:
+        42:49:12:35:76:ab:0f:fa:b1:1f:4e:b1:85:f3:a3:6f:60:e3:
+        6c:0e:a8:95:0d:c8:38:7f:e3:e3:ff:64:74:73:50:46:65:83:
+        5f:1a:72:f9:69:44:07:cd:36:01:90:b9:b3:ed:d8:d7:bc:68:
+        97:dd:11:ac:2b:ec:5d:a4:d4:d5:e8:8b:60:12:54:b9:c4:5f:
+        00:f8:ce:5b:72:28:58:43:7c:d5:25:b7:dd:ec:71:da:aa:3a:
+        f2:6c
+-----BEGIN CERTIFICATE-----
+MIIC7zCCAligAwIBAgIJAJrlel8FWi/kMA0GCSqGSIb3DQEBBQUAMFkxCzAJBgNV
+BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX
+aWRnaXRzIFB0eSBMdGQxEjAQBgNVBAMTCWxvY2FsaG9zdDAeFw0xNTEyMDUyMTUw
+NDZaFw0xNjAxMDQyMTUwNDZaMFkxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21l
+LVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxEjAQBgNV
+BAMTCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA8Zu2JGRm
+v17adyo5vTmTVigm8dcfyWAc44KkB6IPyNZo/DAvFzA0ac3Y8efHhPnFkLEsQtUj
+INId1xgVcAqjHccu3wPAn1zLAiXafSsaCXjlI4rEZDlZDU4VC3V7dfmKTMOd+TEI
+1doApdsM3wnl5BTRFw+79s+9PF0UasvB3OECAwEAAaOBvjCBuzAdBgNVHQ4EFgQU
+ngnA0R4OB7NJVwpJR/mKX07+I3UwgYsGA1UdIwSBgzCBgIAUngnA0R4OB7NJVwpJ
+R/mKX07+I3WhXaRbMFkxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRl
+MSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxEjAQBgNVBAMTCWxv
+Y2FsaG9zdIIJAJrlel8FWi/kMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQAD
+gYEATDvGQpZ1lqCb9dmxmxtPvdKN8VPth4D1e102bjjIrhpY5TmeQkkSNXarD/qx
+H06xhfOjb2DjbA6olQ3IOH/j4/9kdHNQRmWDXxpy+WlEB802AZC5s+3Y17xol90R
+rCvsXaTU1eiLYBJUucRfAPjOW3IoWEN81SW33exx2qo68mw=
+-----END CERTIFICATE-----

.travis/server.der

@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQDxm7YkZGa/Xtp3Kjm9OZNWKCbx1x/JYBzjgqQHog/I1mj8MC8X
+MDRpzdjx58eE+cWQsSxC1SMg0h3XGBVwCqMdxy7fA8CfXMsCJdp9KxoJeOUjisRk
+OVkNThULdXt1+YpMw535MQjV2gCl2wzfCeXkFNEXD7v2z708XRRqy8Hc4QIDAQAB
+AoGBAIBsJuWzJFYmQfNDU4t8Fg+eqgy0LyYn21Mm9q9D+iXjqcwahH1L1yBCFUWH
+0Kqi5NujAQbJKbHhXZEeMQ7r6IT8HjAW800F+M3eRLaMGVbh02L/EpEgUspb8VH+
+SZDolJvxCGmkBBgglJwYpFQG6ANXaEU0/uS+aHz0Wptip2NNAkEA+UdCmpY7whXS
+5F3LrZE8qjwjEs86RxQoe7+wF7eT4CbXmxvQBwgxMO9ZUhwdUJ3Cm5T4Qu943gp/
+hiRIXunrdwJBAPgfgWNE1KpmJALr3opq+mu92D6YWk2aLFQj01kJI1lomRq/ptXB
+niMPzzvauiFuNgpGtKKoxzBPM3l8Ii5E4GcCQCBTuHR5tSg3UlEhRM+ufRKKl/XR
+f/pFx/Y8Zqa8vOWdw+oukizHSDHTaF74nGie/OTWTdfIXIFXFTCdNfFxHoMCQQDs
+k2WT1/IJkp/tZSXnxn6Esht3+13GtiRkCVCfiRX6TsAEgA27rANynMVT5YYpD+NY
+wvfCS7i4OBv1TkVs5mErAkAQmGseTKaye5ABFxBOEHT00hRtIE0yojuL6oPEDhkk
+SJIBC5XE0vzmMKq9sQ7foqgPork9O4VYBo0q//BO0RWG
+-----END RSA PRIVATE KEY-----

.travis/server.key

@@ -37,6 +37,7 @@ serde_json = { version = "0.6", optional = true }
 time = { version = "0.1.14", optional = true }
 unix_socket = { version = ">= 0.3, < 0.5", optional = true, features = ["socket_timeout"] }
 uuid = { version = "0.1", optional = true }
+security-framework = { version = "0.1.1", optional = true }
 
 [dev-dependencies]
 url = "0.2"

Cargo.toml

@@ -6,6 +6,8 @@ use std::io::prelude::*;
 
 #[cfg(feature = "openssl")]
 mod openssl;
+#[cfg(feature = "security-framework")]
+mod security_framework;
 
 /// A trait implemented by SSL adaptors.
 pub trait StreamWrapper: Read+Write+Send {
@@ -20,6 +22,9 @@ pub trait StreamWrapper: Read+Write+Send {
 ///
 /// If the `openssl` Cargo feature is enabled, this trait will be implemented
 /// for `openssl::ssl::SslContext`.
+///
+/// If the `security-framework` Cargo feature is enabled, this trait will be
+/// implemented for `security_framework::secure_transport::ClientBuilder`.
 pub trait NegotiateSsl {
     /// Negotiates an SSL session, returning a wrapper around the provided
     /// stream.

src/io/mod.rs

@@ -0,0 +1,25 @@
+extern crate security_framework;
+
+use self::security_framework::secure_transport::{SslStream, ClientBuilder};
+use io::{Stream, StreamWrapper, NegotiateSsl};
+use std::error::Error;
+
+impl StreamWrapper for SslStream<Stream> {
+    fn get_ref(&self) -> &Stream {
+        self.get_ref()
+    }
+
+    fn get_mut(&mut self) -> &mut Stream {
+        self.get_mut()
+    }
+}
+
+impl NegotiateSsl for ClientBuilder {
+    fn negotiate_ssl(&self,
+                     domain: &str,
+                     stream: Stream)
+                     -> Result<Box<StreamWrapper>, Box<Error + Send + Sync>> {
+        let stream = try!(self.handshake(domain, stream));
+        Ok(Box::new(stream))
+    }
+}

src/io/security_framework.rs

@@ -3,6 +3,8 @@ extern crate rustc_serialize as serialize;
 extern crate url;
 #[cfg(feature = "openssl")]
 extern crate openssl;
+#[cfg(feature = "security-framework")]
+extern crate security_framework;
 
 #[cfg(feature = "openssl")]
 use openssl::ssl::{SslContext, SslMethod};
@@ -671,6 +673,21 @@ fn test_prefer_ssl_conn() {
     or_panic!(conn.execute("SELECT 1::VARCHAR", &[]));
 }
 
+#[test]
+#[cfg(feature = "security-framework")]
+fn security_framework_ssl() {
+    use security_framework::certificate::SecCertificate;
+    use security_framework::secure_transport::ClientBuilder;
+
+    let certificate = include_bytes!("../.travis/server.der");
+    let certificate = or_panic!(SecCertificate::from_der(certificate));
+    let mut builder = ClientBuilder::new();
+    builder.anchor_certificates(&[certificate]);
+    let conn = or_panic!(Connection::connect("postgres://postgres@localhost",
+                                             &mut SslMode::Require(Box::new(builder))));
+    or_panic!(conn.execute("SELECT 1::VARCHAR", &[]));
+}
+
 #[test]
 fn test_plaintext_pass() {
     or_panic!(Connection::connect("postgres://pass_user:password@localhost/postgres", &SslMode::None));