Add API to create PKCS#12 #486
Conversation
Sources/NIOSSL/SSLPKCS12Bundle.swift
Outdated
| certificates: [NIOSSLCertificate], | ||
| privateKey: NIOSSLPrivateKey, | ||
| passphrase: Bytes, | ||
| name: Bytes |
There was a problem hiding this comment.
We don't need to provide a name, and I'd argue we shouldn't bother. If we're going to enable this, it should be optional, and needs a different generic type parameter to the passphrase.
There was a problem hiding this comment.
I'll just get rid of it, don't think it serves any purpose really.
Sources/NIOSSL/SSLPKCS12Bundle.swift
Outdated
| let certificateChainStack = CNIOBoringSSL_sk_X509_new(nil) | ||
| for additionalCertificate in certificates.dropFirst() { | ||
| let result = additionalCertificate.withUnsafeMutableX509Pointer { certificate in | ||
| CNIOBoringSSL_sk_X509_push(certificateChainStack, certificate) |
There was a problem hiding this comment.
This gets the refcount wrong. We need to increase the refcount of the certificate pointer here, using X509_up_ref
There was a problem hiding this comment.
Ah, the joys of manual memory management.
Should we decrease the refcount after we've created the PKCS12?
There was a problem hiding this comment.
Yes, we're also missing the free of the sk_509. Done correctly, the free call is sk_X509_pop_free with the second argument as X509_free.
Sources/NIOSSL/SSLPKCS12Bundle.swift
Outdated
| } | ||
| } | ||
|
|
||
| defer { |
There was a problem hiding this comment.
Nit: as a matter of coding style it's a bit nicer to move this immediately after the sk_X509_new.
| let pkcs12 = try bundle.serialize(passphrase: "thisisagreatpassword".utf8) | ||
|
|
||
| // And then decode it into a NIOSSLPKCS12Bundle | ||
| let decoded = try NIOSSLPKCS12Bundle(buffer: pkcs12, passphrase: "thisisagreatpassword".utf8) |
There was a problem hiding this comment.
We should probably try some non-matching passphrases.
Motivation
It would be handy to provide an API to create PKCS#12 files from a list of
NIOSSLCertificatesand aNIOSSLPrivateKey.This would be particularly useful when dealing with Network.framework/NIOTransportServices/Security.framework, which use
SecIdentitys for SSL. Two particular use cases are #484 (comment) andgrpc-swift-nio-transport, which would use this API for testing the NIOTS transport implementation.Modifications
This PR adds a static method to
NIOSSLPKCS12Bundlethat creates a PKCS#12 file from the given array of certificates + private key, and returns it as an array of bytes.Result
PKCS#12 files can be created using NIOSSL.