diff --git a/.github/workflows/certval.yml b/.github/workflows/certval.yml index 24b6503..7c7c071 100644 --- a/.github/workflows/certval.yml +++ b/.github/workflows/certval.yml @@ -15,7 +15,7 @@ jobs: strategy: matrix: rust: - - 1.75.0 # MSRV + - 1.81.0 # MSRV - stable steps: - uses: actions/checkout@v4 @@ -30,7 +30,7 @@ jobs: strategy: matrix: rust: - - 1.75.0 # MSRV + - 1.81.0 # MSRV - stable steps: - uses: actions/checkout@v4 diff --git a/Cargo.lock b/Cargo.lock index 6adc37c..0f0d04b 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -405,8 +405,9 @@ checksum = "98cc8fbded0c607b7ba9dd60cd98df59af97e84d24e49c8557331cfc26d301ce" [[package]] name = "cms" -version = "0.3.0-pre" -source = "git+https://github.com/RustCrypto/formats.git#1b49eb7afc6c23ce403aa3d4d2440864010bd566" +version = "0.3.0-pre.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "956098b1603285c33972193d6f62c8389d3d8548693a4077baa08ff0a8da97c7" dependencies = [ "const-oid", "der", @@ -2816,8 +2817,9 @@ dependencies = [ [[package]] name = "x509-cert" -version = "0.3.0-pre" -source = "git+https://github.com/RustCrypto/formats.git#1b49eb7afc6c23ce403aa3d4d2440864010bd566" +version = "0.3.0-pre.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2db382aa43c1fb5c419a960f72c3847ab0f383f635fc2e25f0bd6c5fb94371d1" dependencies = [ "const-oid", "der", @@ -2827,7 +2829,7 @@ dependencies = [ [[package]] name = "x509-ocsp" version = "0.3.0-pre" -source = "git+https://github.com/RustCrypto/formats.git#1b49eb7afc6c23ce403aa3d4d2440864010bd566" +source = "git+https://github.com/RustCrypto/formats.git#8f1e468a7846c10146986958d6f5f4cbbf6738f2" dependencies = [ "const-oid", "der", diff --git a/Cargo.toml b/Cargo.toml index 81ea74e..d67ebb7 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -14,9 +14,7 @@ debug = true debug = true [patch.crates-io] -cms = { git = "https://github.com/RustCrypto/formats.git" } x509-ocsp = { git = "https://github.com/RustCrypto/formats.git" } -x509-cert = { git = "https://github.com/RustCrypto/formats.git" } # FIXME: https://github.com/dalek-cryptography/curve25519-dalek/pull/676 ed25519-dalek = { git = "https://github.com/dalek-cryptography/curve25519-dalek.git", branch = "rustcrypto-new-releases" } diff --git a/certval/Cargo.toml b/certval/Cargo.toml index 76255ab..1f3ecb4 100644 --- a/certval/Cargo.toml +++ b/certval/Cargo.toml @@ -12,12 +12,12 @@ categories = ["cryptography", "pki", "no-std"] keywords = ["crypto", "x.509", "OCSP"] readme = "README.md" edition = "2021" -rust-version = "1.75" +rust-version = "1.81" # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] -x509-cert = { version = "0.3.0-pre", default-features = false, features = ["hazmat","pem"] } +x509-cert = { version = "0.3.0-pre.0", default-features = false, features = ["hazmat","pem"] } const-oid = { version = "0.10.0-rc.0", default-features = false, features = ["db"] } cms = "0.3.0-pre" der = { version="0.8.0-rc.0", features = ["alloc", "derive", "flagset", "oid"] } diff --git a/certval/src/builder/file_utils.rs b/certval/src/builder/file_utils.rs index 4c2fcbf..c214169 100644 --- a/certval/src/builder/file_utils.rs +++ b/certval/src/builder/file_utils.rs @@ -121,7 +121,7 @@ fn cert_or_ta_folder_to_vec( if collect_tas { let r = TrustAnchorChoice::::from_der(buffer.as_slice()); if let Ok(TrustAnchorChoice::Certificate(cert)) = r { - let r = valid_at_time(&cert.tbs_certificate, time_of_interest, true); + let r = valid_at_time(&cert.tbs_certificate(), time_of_interest, true); if let Err(_e) = r { error!( "Ignored {} as not valid at indicated time of interest", @@ -135,7 +135,7 @@ fn cert_or_ta_folder_to_vec( } else { let r = CertificateInner::from_der(buffer.as_slice()); if let Ok(cert) = r { - let r = valid_at_time(&cert.tbs_certificate, time_of_interest, true); + let r = valid_at_time(&cert.tbs_certificate(), time_of_interest, true); if let Err(_e) = r { error!( "Ignored {} as not valid at indicated time of interest", diff --git a/certval/src/builder/uri_utils.rs b/certval/src/builder/uri_utils.rs index 935dee2..87b509a 100644 --- a/certval/src/builder/uri_utils.rs +++ b/certval/src/builder/uri_utils.rs @@ -115,7 +115,7 @@ fn save_cert( let r = CertificateInner::from_der(bytes); match r { Ok(cert) => { - if let Err(_e) = valid_at_time(&cert.tbs_certificate, time_of_interest, true) { + if let Err(_e) = valid_at_time(cert.tbs_certificate(), time_of_interest, true) { debug!("Ignoring certificate downloaded from {} as not valid at indicated time of interest ({})", target, time_of_interest); return saved; } diff --git a/certval/src/revocation/check_revocation.rs b/certval/src/revocation/check_revocation.rs index 3086fb4..a176d86 100644 --- a/certval/src/revocation/check_revocation.rs +++ b/certval/src/revocation/check_revocation.rs @@ -101,7 +101,8 @@ pub async fn check_revocation( let mut statuses = vec![]; for (pos, ca_cert_ref) in v.iter().enumerate() { let cur_cert = ca_cert_ref; - let cur_cert_subject = name_to_string(&ca_cert_ref.decoded_cert.tbs_certificate.subject); + let cur_cert_subject = + name_to_string(&ca_cert_ref.decoded_cert.tbs_certificate().subject()); let revoked_error = if pos == max_index { CertificateRevokedEndEntity } else { @@ -298,7 +299,8 @@ pub fn check_revocation( let mut statuses = vec![]; for (pos, ca_cert_ref) in v.iter().enumerate() { let cur_cert = ca_cert_ref; - let cur_cert_subject = name_to_string(&ca_cert_ref.decoded_cert.tbs_certificate.subject); + let cur_cert_subject = + name_to_string(&ca_cert_ref.decoded_cert.tbs_certificate().subject()); let revoked_error = if pos == max_index { CertificateRevokedEndEntity } else { diff --git a/certval/src/revocation/crl.rs b/certval/src/revocation/crl.rs index a99e4c8..bc641b2 100644 --- a/certval/src/revocation/crl.rs +++ b/certval/src/revocation/crl.rs @@ -653,7 +653,7 @@ fn validate_crl_issuer_name( Ok(Some(PDVExtension::CrlDistributionPoints(crl_dp))) => crl_dp, _ => match Name::from_der(&crl_info.issuer_name_blob) { Ok(n) => { - if compare_names(&cert.decoded_cert.tbs_certificate.issuer, &n) { + if compare_names(&cert.decoded_cert.tbs_certificate().issuer(), &n) { return Ok(None); } else { return Err(Error::CrlIncompatible); @@ -681,7 +681,7 @@ fn validate_crl_issuer_name( match Name::from_der(&crl_info.issuer_name_blob) { Ok(n) => { - if compare_names(&cert.decoded_cert.tbs_certificate.issuer, &n) { + if compare_names(&cert.decoded_cert.tbs_certificate().issuer(), &n) { Ok(None) } else { Err(Error::CrlIncompatible) @@ -839,7 +839,7 @@ fn validate_crl_authority(target_cert: &PDVCertificate, crl_info: &CrlInfo) -> R // If the CRL issuer name does not match the cert issuer name, the indirectCRL field must be present // in the IDP. - let enc_iss = match target_cert.decoded_cert.tbs_certificate.issuer.to_der() { + let enc_iss = match target_cert.decoded_cert.tbs_certificate().issuer().to_der() { Ok(b) => b, Err(_e) => return Err(Error::Unrecognized), }; @@ -868,7 +868,7 @@ fn verify_crl( &defer_crl.tbs_field, defer_crl.signature.raw_bytes(), &defer_crl.signature_algorithm, - &issuer_cert.tbs_certificate.subject_public_key_info, + &issuer_cert.tbs_certificate().subject_public_key_info(), ); if let Err(e) = r { log_error_for_subject( @@ -950,8 +950,8 @@ pub(crate) fn check_crl_validity(toi: TimeOfInterest, crl: &CertificateList } fn check_crl_sign(cert: &CertificateInner) -> Result<()> { - if let Some(exts) = &cert.tbs_certificate.extensions { - for ext in exts { + if let Some(exts) = &cert.tbs_certificate().extensions() { + for ext in exts.as_slice() { if ext.extn_id == ID_CE_KEY_USAGE { if let Ok(ku) = KeyUsage::from_der(ext.extn_value.as_bytes()) { // (n) If a key usage extension is present, verify that the @@ -1021,7 +1021,7 @@ pub(crate) fn process_crl( if !COMPATIBLE_SCOPE[(cert_type as usize, crl_info.type_info.scope as usize)] || !COMPATIBLE_COVERAGE[(cert_type as usize, crl_info.type_info.coverage as usize)] { - info!("Discarding CRL from {} as having incompatible scope or coverage for certificate issued to {}", name_to_string(&crl.tbs_cert_list.issuer), name_to_string(&target_cert.decoded_cert.tbs_certificate.subject)); + info!("Discarding CRL from {} as having incompatible scope or coverage for certificate issued to {}", name_to_string(&crl.tbs_cert_list.issuer), name_to_string(&target_cert.decoded_cert.tbs_certificate().subject())); return Err(Error::CrlIncompatible); } @@ -1044,7 +1044,7 @@ pub(crate) fn process_crl( target_cert, &mut collected_reasons, ) { - info!("Discarding CRL from {} as having incompatible distribution point for certificate issued to {}", name_to_string(&crl.tbs_cert_list.issuer), name_to_string(&target_cert.decoded_cert.tbs_certificate.subject)); + info!("Discarding CRL from {} as having incompatible distribution point for certificate issued to {}", name_to_string(&crl.tbs_cert_list.issuer), name_to_string(&target_cert.decoded_cert.tbs_certificate().subject())); return Err(Error::CrlIncompatible); } @@ -1053,7 +1053,7 @@ pub(crate) fn process_crl( info!( "Discarding CRL from {} as having incompatible authority for certificate issued to {}", name_to_string(&crl.tbs_cert_list.issuer), - name_to_string(&target_cert.decoded_cert.tbs_certificate.subject) + name_to_string(&target_cert.decoded_cert.tbs_certificate().subject()) ); return Err(Error::CrlIncompatible); } @@ -1083,7 +1083,7 @@ pub(crate) fn process_crl( if rc .serial_number - .der_cmp(&target_cert.decoded_cert.tbs_certificate.serial_number) + .der_cmp(&target_cert.decoded_cert.tbs_certificate().serial_number()) .map(|ordering| matches!(ordering, std::cmp::Ordering::Equal)) .unwrap_or_default() { @@ -1142,12 +1142,12 @@ pub(crate) async fn check_revocation_crl_remote( pos: usize, ) -> PathValidationStatus { let mut target_status = PathValidationStatus::RevocationStatusNotDetermined; - let cur_cert_subject = name_to_string(&target_cert.decoded_cert.tbs_certificate.subject); + let cur_cert_subject = name_to_string(&target_cert.decoded_cert.tbs_certificate().subject()); let crl_dps = get_crl_dps(target_cert); if crl_dps.is_empty() { info!( "No CRL DPs found for {}", - name_to_string(&target_cert.decoded_cert.tbs_certificate.subject) + name_to_string(&target_cert.decoded_cert.tbs_certificate().subject()) ); } else { let timeout = cps.get_crl_timeout(); diff --git a/certval/src/revocation/ocsp_client.rs b/certval/src/revocation/ocsp_client.rs index 2af0a01..0b356e2 100644 --- a/certval/src/revocation/ocsp_client.rs +++ b/certval/src/revocation/ocsp_client.rs @@ -55,8 +55,8 @@ use crate::{ fn get_key_hash(cert: &CertificateInner) -> Result> { Ok(Sha1::digest( - cert.tbs_certificate - .subject_public_key_info + cert.tbs_certificate() + .subject_public_key_info() .subject_public_key .raw_bytes(), ) @@ -64,7 +64,7 @@ fn get_key_hash(cert: &CertificateInner) -> Result> { } fn get_subject_name_hash(cert: &CertificateInner) -> Result> { - let enc_subject = match cert.tbs_certificate.subject.to_der() { + let enc_subject = match cert.tbs_certificate().subject().to_der() { Ok(enc_spki) => enc_spki, Err(e) => return Err(Error::Asn1Error(e)), }; @@ -215,7 +215,7 @@ fn prepare_ocsp_request( hash_algorithm, issuer_name_hash, issuer_key_hash, - serial_number: target_cert.tbs_certificate.serial_number.clone(), + serial_number: target_cert.tbs_certificate().serial_number().clone(), }; //TODO add nonce support let request_list = vec![Request { @@ -283,9 +283,9 @@ impl<'a> ::der::DecodeValue<'a> for DeferDecodeBasicOcspResponse { } } -fn no_check_present(exts: &Option) -> bool { +fn no_check_present(exts: &Option<&Extensions>) -> bool { if let Some(exts) = exts { - for ext in exts { + for ext in exts.as_slice() { if ext.extn_id == ID_PKIX_OCSP_NOCHECK { return true; } @@ -316,7 +316,7 @@ fn verify_response_signature( &ddbor.tbs_response_data, signature, &bor.signature_algorithm, - &signers_cert.tbs_certificate.subject_public_key_info, + &signers_cert.tbs_certificate().subject_public_key_info(), ) } @@ -533,10 +533,11 @@ fn process_ocsp_response_internal( &defer_cert.tbs_field, defer_cert.signature.raw_bytes(), &defer_cert.signature_algorithm, - &issuers_cert.tbs_certificate.subject_public_key_info, + &issuers_cert.tbs_certificate().subject_public_key_info(), ) { if let Ok(cert) = CertificateInner::::from_der(certbuf.as_slice()) { - if cert.tbs_certificate.signature != defer_cert.signature_algorithm { + if *cert.tbs_certificate().signature() != defer_cert.signature_algorithm + { error!("Verified candidate responder cert from OCSPResponse from {} but signature algorithm match failed", uri_to_check); cpr.add_failed_ocsp_response(enc_ocsp_resp.to_vec(), result_index); continue; @@ -545,7 +546,7 @@ fn process_ocsp_response_internal( let time_of_interest = cps.get_time_of_interest(); if time_of_interest.is_disabled() { let target_ttl = - valid_at_time(&cert.tbs_certificate, time_of_interest, false); + valid_at_time(&cert.tbs_certificate(), time_of_interest, false); if let Err(_e) = target_ttl { error!("Verified candidate responder cert from OCSPResponse from {} but certificate has expired", uri_to_check); cpr.add_failed_ocsp_response( @@ -556,7 +557,7 @@ fn process_ocsp_response_internal( } } - if !no_check_present(&cert.tbs_certificate.extensions) { + if !no_check_present(&cert.tbs_certificate().extensions()) { //TODO implement revocation checking of responder cert error!("no-check absent"); } @@ -608,7 +609,7 @@ fn process_ocsp_response_internal( for sr in bor.tbs_response_data.responses { if !cert_id_match( &sr.cert_id, - &target_cert.decoded_cert.tbs_certificate.serial_number, + &target_cert.decoded_cert.tbs_certificate().serial_number(), name_hash, key_hash, ) { @@ -693,7 +694,7 @@ pub(crate) async fn check_revocation_ocsp( if ocsp_aias.is_empty() { info!( "No OCSP AIAs found for {}", - name_to_string(&target_cert.decoded_cert.tbs_certificate.subject) + name_to_string(&target_cert.decoded_cert.tbs_certificate().subject()) ); } else { for aia in ocsp_aias { @@ -710,7 +711,7 @@ pub(crate) async fn check_revocation_ocsp( info!( "Determined revocation status ({}) using OCSP for certificate issued to {} via {}", target_status, - name_to_string(&target_cert.decoded_cert.tbs_certificate.subject), + name_to_string(&target_cert.decoded_cert.tbs_certificate().subject()), aia.as_str(), ); // no need to consider additional AIAs @@ -718,7 +719,7 @@ pub(crate) async fn check_revocation_ocsp( } else { info!( "Failed to determine status for {} via {}", - name_to_string(&target_cert.decoded_cert.tbs_certificate.subject), + name_to_string(&target_cert.decoded_cert.tbs_certificate().subject()), aia.as_str() ); } diff --git a/certval/src/source/cert_source.rs b/certval/src/source/cert_source.rs index f27b303..af1c8d6 100644 --- a/certval/src/source/cert_source.rs +++ b/certval/src/source/cert_source.rs @@ -511,8 +511,8 @@ impl CertSource { for (i, c) in self.certs.iter().enumerate() { if let Some(cert) = c { let skid = hex_skid_from_cert(cert); - let sub = get_leaf_rdn(&cert.decoded_cert.tbs_certificate.subject); - let iss = get_leaf_rdn(&cert.decoded_cert.tbs_certificate.issuer); + let sub = get_leaf_rdn(&cert.decoded_cert.tbs_certificate().subject()); + let iss = get_leaf_rdn(&cert.decoded_cert.tbs_certificate().issuer()); info!( "Index: {}; SKID: {}; Issuer: {}; Subject: {}", i, skid, iss, sub @@ -546,8 +546,8 @@ impl CertSource { let nc_ext = cert.get_extension(&ID_CE_NAME_CONSTRAINTS); if let Ok(Some(PDVExtension::NameConstraints(nc))) = nc_ext { let skid = hex_skid_from_cert(cert); - let sub = get_leaf_rdn(&cert.decoded_cert.tbs_certificate.subject); - let iss = get_leaf_rdn(&cert.decoded_cert.tbs_certificate.issuer); + let sub = get_leaf_rdn(&cert.decoded_cert.tbs_certificate().subject()); + let iss = get_leaf_rdn(&cert.decoded_cert.tbs_certificate().issuer()); if let Some(perm) = &nc.permitted_subtrees { logged_some = true; info!("Index: {}; SKID: {}; {}; Subject: {}", i, skid, iss, sub); @@ -593,7 +593,7 @@ impl CertSource { for c in &self.skid_map[key] { let cert = &self.certs[*c]; if let Some(cert) = cert { - label = get_leaf_rdn(&cert.decoded_cert.tbs_certificate.subject); + label = get_leaf_rdn(&cert.decoded_cert.tbs_certificate().subject()); break; } } @@ -604,7 +604,7 @@ impl CertSource { for v in inner { let cert = &self.certs[v[0]]; let vlabel = if let Some(cert) = cert { - get_leaf_rdn(&cert.decoded_cert.tbs_certificate.issuer) + get_leaf_rdn(&cert.decoded_cert.tbs_certificate().issuer()) } else { "".to_string() }; @@ -631,8 +631,11 @@ impl CertSource { /// Logs info about partial paths and corresponding buffers for a given target pub fn log_paths_for_target(&self, target: &PDVCertificate, time_of_interest: TimeOfInterest) { - if let Err(_e) = valid_at_time(&target.decoded_cert.tbs_certificate, time_of_interest, true) - { + if let Err(_e) = valid_at_time( + &target.decoded_cert.tbs_certificate(), + time_of_interest, + true, + ) { error!( "No paths found because target is not valid at indicated time of interest ({})", time_of_interest @@ -650,7 +653,7 @@ impl CertSource { } let mut akid_hex = "".to_string(); - let mut name_vec = vec![&target.decoded_cert.tbs_certificate.issuer]; + let mut name_vec = vec![target.decoded_cert.tbs_certificate().issuer()]; let akid_ext = target.get_extension(&ID_CE_AUTHORITY_KEY_IDENTIFIER); if let Ok(Some(PDVExtension::AuthorityKeyIdentifier(akid))) = akid_ext { if let Some(kid) = &akid.key_identifier { @@ -700,7 +703,7 @@ impl CertSource { for c in &self.skid_map[&key] { let cert = &self.certs[*c]; if let Some(cert) = cert { - label = get_leaf_rdn(&cert.decoded_cert.tbs_certificate.subject); + label = get_leaf_rdn(&cert.decoded_cert.tbs_certificate().subject()); break; } } @@ -722,8 +725,8 @@ impl CertSource { let issuer = &self.certs[*last_index]; if let Some(ca) = issuer { if !compare_names( - &ca.decoded_cert.tbs_certificate.subject, - &target.decoded_cert.tbs_certificate.issuer, + &ca.decoded_cert.tbs_certificate().subject(), + &target.decoded_cert.tbs_certificate().issuer(), ) { error!( "Encountered CA that is likely using same SKID with different names. Skipping partial path due to name mismatch."); break; @@ -739,7 +742,7 @@ impl CertSource { for ii in v { let cert = &self.certs[*ii]; if let Some(cert) = cert { - vlabel = get_leaf_rdn(&cert.decoded_cert.tbs_certificate.issuer); + vlabel = get_leaf_rdn(&cert.decoded_cert.tbs_certificate().issuer()); break; } } @@ -759,8 +762,8 @@ impl CertSource { if indices.contains(&i) { if let Some(cert) = c { let skid = hex_skid_from_cert(cert); - let sub = get_leaf_rdn(&cert.decoded_cert.tbs_certificate.subject); - let iss = get_leaf_rdn(&cert.decoded_cert.tbs_certificate.issuer); + let sub = get_leaf_rdn(&cert.decoded_cert.tbs_certificate().subject()); + let iss = get_leaf_rdn(&cert.decoded_cert.tbs_certificate().issuer()); info!( "Index: {}; SKID: {}; Issuer: {}; Subject: {}", i, skid, iss, sub @@ -810,7 +813,7 @@ impl CertSource { for c in &self.skid_map[&key] { let cert = &self.certs[*c]; if let Some(cert) = cert { - label = get_leaf_rdn(&cert.decoded_cert.tbs_certificate.subject); + label = get_leaf_rdn(&cert.decoded_cert.tbs_certificate().subject()); break; } } @@ -827,7 +830,7 @@ impl CertSource { for ii in v { let cert = &self.certs[*ii]; if let Some(cert) = cert { - vlabel = get_leaf_rdn(&cert.decoded_cert.tbs_certificate.issuer); + vlabel = get_leaf_rdn(&cert.decoded_cert.tbs_certificate().issuer()); break; } } @@ -847,8 +850,8 @@ impl CertSource { if indices.contains(&i) { if let Some(cert) = c { let skid = hex_skid_from_cert(cert); - let sub = get_leaf_rdn(&cert.decoded_cert.tbs_certificate.subject); - let iss = get_leaf_rdn(&cert.decoded_cert.tbs_certificate.issuer); + let sub = get_leaf_rdn(&cert.decoded_cert.tbs_certificate().subject()); + let iss = get_leaf_rdn(&cert.decoded_cert.tbs_certificate().issuer()); info!( "Index: {}; SKID: {}; Issuer: {}; Subject: {}", i, skid, iss, sub @@ -931,7 +934,7 @@ impl CertSource { let valid = if time_of_interest.is_disabled() { true } else { - let r = valid_at_time(&cert.tbs_certificate, time_of_interest, false); + let r = valid_at_time(&cert.tbs_certificate(), time_of_interest, false); if r.is_err() { error!( "Certificate from {} is not valid at indicated time of interest", @@ -977,7 +980,7 @@ impl CertSource { self.skid_map.insert(hex_skid, vec![i]); } - let name_str = name_to_string(&cert.decoded_cert.tbs_certificate.subject); + let name_str = name_to_string(&cert.decoded_cert.tbs_certificate().subject()); if self.name_map.contains_key(&name_str) { let mut v = self.name_map[&name_str].clone(); v.push(i); @@ -995,12 +998,12 @@ impl CertSource { if let Some(path_item) = path_item { if path_item .decoded_cert - .tbs_certificate - .subject_public_key_info + .tbs_certificate() + .subject_public_key_info() == prospective_cert .decoded_cert - .tbs_certificate - .subject_public_key_info + .tbs_certificate() + .subject_public_key_info() { return true; } @@ -1072,7 +1075,7 @@ impl CertSource { for i in path.iter() { if let Some(ca_cert) = &self.certs[*i] { if let Err(_e) = valid_at_time( - &ca_cert.decoded_cert.tbs_certificate, + &ca_cert.decoded_cert.tbs_certificate(), time_of_interest, false, ) { @@ -1098,13 +1101,13 @@ impl CertSource { if (pos + 1) == path.len() || !self_issued { if !permitted_subtrees.subject_within_permitted_subtrees( - &ca_cert.decoded_cert.tbs_certificate.subject, + &ca_cert.decoded_cert.tbs_certificate().subject(), ) { return false; } if excluded_subtrees.subject_within_excluded_subtrees( - &ca_cert.decoded_cert.tbs_certificate.subject, + &ca_cert.decoded_cert.tbs_certificate().subject(), ) { return false; } @@ -1154,7 +1157,7 @@ impl CertSource { let mut retval: Vec = vec![]; let mut akid_hex = "".to_string(); - let mut name_vec = vec![&target.decoded_cert.tbs_certificate.issuer]; + let mut name_vec = vec![target.decoded_cert.tbs_certificate().issuer()]; let akid_ext = target.get_extension(&ID_CE_AUTHORITY_KEY_IDENTIFIER); if let Ok(Some(PDVExtension::AuthorityKeyIdentifier(akid))) = akid_ext { if let Some(kid) = &akid.key_identifier { @@ -1226,8 +1229,10 @@ impl CertSource { // RFC 5914 TAs do not necessary have to have a name, if this is one of those, ignore it let ta_name = get_trust_anchor_name(&ta.decoded_ta); if let Ok(ta_name) = ta_name { - if compare_names(&cur_cert.decoded_cert.tbs_certificate.issuer, ta_name) - { + if compare_names( + &cur_cert.decoded_cert.tbs_certificate().issuer(), + ta_name, + ) { let defer_cert = DeferDecodeSigned::from_der(cur_cert.encoded_cert.as_slice()); if let Ok(defer_cert) = defer_cert { @@ -1237,8 +1242,8 @@ impl CertSource { let r = pe.verify_signature_message( pe, &defer_cert.tbs_field, - cur_cert.decoded_cert.signature.raw_bytes(), - &cur_cert.decoded_cert.tbs_certificate.signature, + cur_cert.decoded_cert.signature().raw_bytes(), + &cur_cert.decoded_cert.tbs_certificate().signature(), spki, ); if let Ok(_r) = r { @@ -1288,8 +1293,11 @@ impl CertSource { // Not doing that at present because policy and name constraints // are more variable than use of current time as time of interest if compare_names( - &cur_cert.decoded_cert.tbs_certificate.issuer, - &prospective_ca_cert.decoded_cert.tbs_certificate.subject, + &cur_cert.decoded_cert.tbs_certificate().issuer(), + &prospective_ca_cert + .decoded_cert + .tbs_certificate() + .subject(), ) && self.check_names_in_partial_path(prospective_path) && self .check_validity_in_partial_path(prospective_path, cps) @@ -1297,12 +1305,12 @@ impl CertSource { let r = pe.verify_signature_message( pe, &defer_cert.tbs_field, - cur_cert.decoded_cert.signature.raw_bytes(), - &cur_cert.decoded_cert.tbs_certificate.signature, + cur_cert.decoded_cert.signature().raw_bytes(), + &cur_cert.decoded_cert.tbs_certificate().signature(), &prospective_ca_cert .decoded_cert - .tbs_certificate - .subject_public_key_info, + .tbs_certificate() + .subject_public_key_info(), ); if let Ok(_r) = r { if !self.pub_key_in_path(cur_cert, prospective_path) { @@ -1359,8 +1367,11 @@ impl CertificateSource for CertSource { threshold: usize, time_of_interest: TimeOfInterest, ) -> Result<()> { - if let Err(e) = valid_at_time(&target.decoded_cert.tbs_certificate, time_of_interest, true) - { + if let Err(e) = valid_at_time( + &target.decoded_cert.tbs_certificate(), + time_of_interest, + true, + ) { error!( "No paths found because target is not valid at indicated time of interest ({})", time_of_interest @@ -1375,7 +1386,7 @@ impl CertificateSource for CertSource { } let mut akid_hex = "".to_string(); - let mut name_vec = vec![&target.decoded_cert.tbs_certificate.issuer]; + let mut name_vec = vec![target.decoded_cert.tbs_certificate().issuer()]; let akid_ext = target.get_extension(&ID_CE_AUTHORITY_KEY_IDENTIFIER); if let Ok(Some(PDVExtension::AuthorityKeyIdentifier(akid))) = akid_ext { if let Some(kid) = &akid.key_identifier { @@ -1414,8 +1425,8 @@ impl CertificateSource for CertSource { let issuer = &self.certs[*last_index]; if let Some(ca) = issuer { if !compare_names( - &ca.decoded_cert.tbs_certificate.subject, - &target.decoded_cert.tbs_certificate.issuer, + &ca.decoded_cert.tbs_certificate().subject(), + &target.decoded_cert.tbs_certificate().issuer(), ) { error!("Encountered CA that is likely using same SKID with different names. Skipping partial path due to name mismatch."); continue; @@ -1431,7 +1442,7 @@ impl CertificateSource for CertSource { if 0 == i { let mut ta_akid_hex = "".to_string(); let mut ta_name_vec = - vec![&target.decoded_cert.tbs_certificate.issuer]; + vec![target.decoded_cert.tbs_certificate().issuer()]; let ca_akid_ext = cert.get_extension(&ID_CE_AUTHORITY_KEY_IDENTIFIER); if let Ok(Some(PDVExtension::AuthorityKeyIdentifier( @@ -1639,10 +1650,10 @@ fn pub_key_repeats(path: &CertificationPath) -> bool { )]; for c in &path.intermediates { let ca = c.clone(); - if spki_array.contains(&&ca.decoded_cert.tbs_certificate.subject_public_key_info) { + if spki_array.contains(&&ca.decoded_cert.tbs_certificate().subject_public_key_info()) { return true; } else { - spki_array.push(&c.decoded_cert.tbs_certificate.subject_public_key_info); + spki_array.push(&c.decoded_cert.tbs_certificate().subject_public_key_info()); } } false @@ -1689,7 +1700,7 @@ fn get_certificates_test() { cert_store.skid_map.insert(hex_skid, vec![i]); } - let name_str = name_to_string(&cert.decoded_cert.tbs_certificate.subject); + let name_str = name_to_string(&cert.decoded_cert.tbs_certificate().subject()); if cert_store.name_map.contains_key(&name_str) { let mut v = cert_store.name_map[&name_str].clone(); v.push(i); diff --git a/certval/src/source/crl_source.rs b/certval/src/source/crl_source.rs index a7eae12..cf481a2 100644 --- a/certval/src/source/crl_source.rs +++ b/certval/src/source/crl_source.rs @@ -340,7 +340,7 @@ impl CrlSource for CrlSourceFolders { } } - let issuer_name = name_to_string(&cert.decoded_cert.tbs_certificate.issuer); + let issuer_name = name_to_string(&cert.decoded_cert.tbs_certificate().issuer()); if inner.issuer_map.contains_key(&issuer_name) { let indices = &inner.issuer_map[&issuer_name]; let mut retval = vec![]; @@ -529,8 +529,13 @@ impl RevocationStatusCache for RevocationCache { cert: &PDVCertificate, time_of_interest: TimeOfInterest, ) -> PathValidationStatus { - let name = name_to_string(&cert.decoded_cert.tbs_certificate.issuer); - let serial = buffer_to_hex(cert.decoded_cert.tbs_certificate.serial_number.as_bytes()); + let name = name_to_string(&cert.decoded_cert.tbs_certificate().issuer()); + let serial = buffer_to_hex( + cert.decoded_cert + .tbs_certificate() + .serial_number() + .as_bytes(), + ); let cache_map = if let Ok(c) = self.cache_map.read() { c @@ -555,8 +560,13 @@ impl RevocationStatusCache for RevocationCache { return; } - let name = name_to_string(&cert.decoded_cert.tbs_certificate.issuer); - let serial = buffer_to_hex(cert.decoded_cert.tbs_certificate.serial_number.as_bytes()); + let name = name_to_string(&cert.decoded_cert.tbs_certificate().issuer()); + let serial = buffer_to_hex( + cert.decoded_cert + .tbs_certificate() + .serial_number() + .as_bytes(), + ); let key = (name, serial); let mut cache_map = if let Ok(g) = self.cache_map.write() { diff --git a/certval/src/source/ta_source.rs b/certval/src/source/ta_source.rs index 2cbc806..6df9cab 100644 --- a/certval/src/source/ta_source.rs +++ b/certval/src/source/ta_source.rs @@ -71,9 +71,9 @@ pub fn get_subject_public_key_info_from_trust_anchor( ta: &TrustAnchorChoice, ) -> &SubjectPublicKeyInfoOwned { match ta { - TrustAnchorChoice::Certificate(cert) => &cert.tbs_certificate.subject_public_key_info, + TrustAnchorChoice::Certificate(cert) => &cert.tbs_certificate().subject_public_key_info(), TrustAnchorChoice::TaInfo(tai) => &tai.pub_key, - TrustAnchorChoice::TbsCertificate(tbs) => &tbs.subject_public_key_info, + TrustAnchorChoice::TbsCertificate(tbs) => &tbs.subject_public_key_info(), } } @@ -153,7 +153,10 @@ pub fn hex_skid_from_cert(cert: &PDVCertificate) -> String { let hex_skid = if let Ok(Some(PDVExtension::SubjectKeyIdentifier(skid))) = skid { buffer_to_hex(skid.0.as_bytes()) } else { - let working_spki = &cert.decoded_cert.tbs_certificate.subject_public_key_info; + let working_spki = &cert + .decoded_cert + .tbs_certificate() + .subject_public_key_info(); //todo unwrap let digest = Sha256::digest(working_spki.subject_public_key.as_bytes().unwrap()).to_vec(); buffer_to_hex(digest.as_slice()) @@ -335,7 +338,7 @@ impl TrustAnchorSource for TaSource { target: &PDVCertificate, ) -> Result<&PDVTrustAnchorChoice> { let mut akid_hex = None; - let mut name_vec = vec![&target.decoded_cert.tbs_certificate.issuer]; + let mut name_vec = vec![target.decoded_cert.tbs_certificate().issuer()]; let akid_ext = target.get_extension(&ID_CE_AUTHORITY_KEY_IDENTIFIER); if let Ok(Some(PDVExtension::AuthorityKeyIdentifier(akid))) = akid_ext { if let Some(kid) = &akid.key_identifier { diff --git a/certval/src/util/crypto.rs b/certval/src/util/crypto.rs index 04419f0..a5fad2b 100644 --- a/certval/src/util/crypto.rs +++ b/certval/src/util/crypto.rs @@ -683,7 +683,7 @@ fn test_verify_signature_digest() { &result, defer_cert.signature.as_bytes().unwrap(), &defer_cert.signature_algorithm, - &cert.tbs_certificate.subject_public_key_info, + &cert.tbs_certificate().subject_public_key_info(), ); assert!(result.is_ok()) } diff --git a/certval/src/util/pdv_utilities.rs b/certval/src/util/pdv_utilities.rs index 16d678b..47bdf88 100644 --- a/certval/src/util/pdv_utilities.rs +++ b/certval/src/util/pdv_utilities.rs @@ -54,9 +54,9 @@ pub fn is_self_signed_with_buffer( .verify_signature_message( pe, &defer_cert.tbs_field, - cert.signature.raw_bytes(), - &cert.tbs_certificate.signature, - &cert.tbs_certificate.subject_public_key_info, + cert.signature().raw_bytes(), + &cert.tbs_certificate().signature(), + &cert.tbs_certificate().subject_public_key_info(), ) .is_ok(), Err(e) => { @@ -78,7 +78,10 @@ pub fn is_self_signed(pe: &PkiEnvironment, cert: &PDVCertificate) -> bool { /// `is_self_issued` returns true if the subject field in the certificate is the same as the issuer /// field. pub fn is_self_issued(cert: &CertificateInner) -> bool { - compare_names(&cert.tbs_certificate.issuer, &cert.tbs_certificate.subject) + compare_names( + &cert.tbs_certificate().issuer(), + &cert.tbs_certificate().subject(), + ) } /// `collect_uris_from_aia_and_sia` collects unique URIs from AIA and SIA extensions from the presented @@ -130,24 +133,25 @@ pub fn valid_at_time( return Ok(0); } - let nb = target.validity.not_before; + let validity = target.validity(); + let nb = validity.not_before; if nb > toi { if !stifle_log { - log_error_for_name(&target.subject, "certificate is not yet valid, i.e., not_before is prior to the configured time of interest"); + log_error_for_name(&target.subject(), "certificate is not yet valid, i.e., not_before is prior to the configured time of interest"); } return Err(Error::PathValidation( PathValidationStatus::InvalidNotBeforeDate, )); } - let na = target.validity.not_after; + let na = validity.not_after; if na < toi { if !stifle_log { log_error_for_name( - &target.subject, + &target.subject(), format!( "certificate is expired relative to the configured time of interest: {}", - target.validity.not_after + validity.not_after ) .as_str(), ); @@ -170,9 +174,8 @@ pub(crate) fn get_inhibit_any_policy_from_trust_anchor( ) -> Result { match ta { TrustAnchorChoice::Certificate(cert) => { - if let Some(extensions) = &cert.tbs_certificate.extensions { - let i = extensions.iter(); - for ext in i { + if let Some(extensions) = &cert.tbs_certificate().extensions() { + for ext in extensions.as_slice() { if ID_CE_INHIBIT_ANY_POLICY == ext.extn_id { let iap_result = InhibitAnyPolicy::from_der(ext.extn_value.as_bytes()); if let Ok(_iap) = iap_result { @@ -208,7 +211,7 @@ pub(crate) fn get_require_explicit_policy_from_trust_anchor( ) -> Result { match ta { TrustAnchorChoice::Certificate(cert) => { - if let Some(extensions) = &cert.tbs_certificate.extensions { + if let Some(extensions) = &cert.tbs_certificate().extensions() { let i = extensions.iter(); for ext in i { if ID_CE_POLICY_CONSTRAINTS == ext.extn_id { @@ -248,7 +251,7 @@ pub(crate) fn get_inhibit_policy_mapping_from_trust_anchor( ) -> Result { match ta { TrustAnchorChoice::Certificate(cert) => { - if let Some(extensions) = &cert.tbs_certificate.extensions { + if let Some(extensions) = &cert.tbs_certificate().extensions() { let i = extensions.iter(); for ext in i { if ID_CE_POLICY_CONSTRAINTS == ext.extn_id { @@ -286,7 +289,7 @@ pub(crate) fn get_path_length_constraint_from_trust_anchor( ) -> Result { match ta { TrustAnchorChoice::Certificate(cert) => { - if let Some(extensions) = &cert.tbs_certificate.extensions { + if let Some(extensions) = &cert.tbs_certificate().extensions() { let i = extensions.iter(); for ext in i { if ID_CE_BASIC_CONSTRAINTS == ext.extn_id { @@ -440,11 +443,11 @@ pub(crate) fn descended_from_rfc822(prev_name: &Ia5String, new_name: &Ia5String) /// `descended_from_dn` returns true if new_name is equal to or descended from prev_name and false otherwise. pub(crate) fn descended_from_dn(subtree: &Name, name: &Name, min: u32, max: Option) -> bool { //if descendant fewer rdns then it is not a descendant - if subtree.0.len() > name.0.len() { + if subtree.len() > name.len() { return false; } - let diff = (name.0.len() - subtree.0.len()) as u32; + let diff = (name.len() - subtree.len()) as u32; if diff < min { return false; } @@ -454,27 +457,19 @@ pub(crate) fn descended_from_dn(subtree: &Name, name: &Name, min: u32, max: Opti } } - for i in 0..subtree.0.len() { - if subtree.0[i] != name.0[i] { + for (subtree_rdn, name_rdn) in subtree.iter_rdn().zip(name.iter_rdn()) { + if subtree_rdn != name_rdn { let mut let_it_slide = false; // some folks can't manage to use the same character set in a name constraint and subject name // allow this practice to not break stuff - let l = &subtree.0[i]; - let r = &name.0[i]; - if l.0.len() != r.0.len() { + if subtree_rdn.len() != name_rdn.len() { // diff number of attributes return false; } - for j in 0..l.0.len() { - let la = l.0.get(j); - let ra = r.0.get(j); - if la.is_none() || ra.is_none() { - // ought not occur - return false; - } - let lau = la.unwrap(); - let rau = ra.unwrap(); + for (subtree_attr, name_attr) in subtree.iter().zip(name_rdn.iter()) { + let lau = subtree_attr; + let rau = name_attr; if lau.oid != rau.oid { // if the type of attribute, i.e., c, cn, o, is different, return false return false; @@ -599,12 +594,12 @@ pub(crate) fn log_error_for_name(name: &Name, msg: &str) { } pub(crate) fn log_error_for_ca(ca: &PDVCertificate, msg: &str) { - log_error_for_name(&ca.decoded_cert.tbs_certificate.subject, msg); + log_error_for_name(&ca.decoded_cert.tbs_certificate().subject(), msg); } /// log a message with subject name of the certificate appended pub fn log_error_for_subject(ca: &CertificateInner, msg: &str) { - log_error_for_name(&ca.tbs_certificate.subject, msg); + log_error_for_name(&ca.tbs_certificate().subject(), msg); } /// `oid_lookup` takes an ObjectIdentifier and returns a string with a friendly name for the OID or @@ -780,35 +775,19 @@ pub fn get_value_from_rdn(atav: &AttributeTypeAndValue) -> Result { /// [`compare_names`] compares two Name values returning true if they match and false otherwise. pub fn compare_names(left: &Name, right: &Name) -> bool { // no match if not the same number of RDNs - if left.0.len() != right.0.len() { + if left.len() != right.len() { return false; } - for i in 0..left.0.len() { - let lrdn = &left.0[i]; - let rrdn = &right.0[i]; - - if lrdn.0.len() != rrdn.0.len() { + for (lrdn, rrdn) in left.iter_rdn().zip(right.iter_rdn()) { + if lrdn.len() != rrdn.len() { return false; } if lrdn != rrdn { // only do the whitespace and case insensitve stuff is simpler compare fails (not full featured on no-std, hence tolerance for unused variables) #[allow(unused_variables)] - for j in 0..lrdn.0.len() { - let l = lrdn.0.get(j); - let r = rrdn.0.get(j); - - if l.is_none() || r.is_none() { - if l.is_none() && r.is_none() { - continue; - } else { - return false; - } - } - let l = l.unwrap(); - let r = r.unwrap(); - + for (l, r) in lrdn.iter().zip(rrdn.iter()) { if l.oid != r.oid { return false; } @@ -859,8 +838,8 @@ pub fn compare_names(left: &Name, right: &Name) -> bool { /// Retrieves a string value from the first attribute of last RDN element in the presented Name. pub fn get_leaf_rdn(name: &Name) -> String { - let rdn = &name.0[name.0.len() - 1]; - rdn.to_string() + let rdn = &name.iter_rdn().last(); + rdn.map(|r| r.to_string()).unwrap_or_default() } /// ta_valid_at_time checks the validity of the given trust anchor relative to the given time of interest. @@ -871,12 +850,12 @@ pub fn ta_valid_at_time( ) -> Result { match ta { TrustAnchorChoice::Certificate(c) => { - return valid_at_time(&c.tbs_certificate, toi, stifle_log); + return valid_at_time(&c.tbs_certificate(), toi, stifle_log); } TrustAnchorChoice::TaInfo(tai) => { if let Some(cp) = &tai.cert_path { if let Some(c) = &cp.certificate { - return valid_at_time(&c.tbs_certificate, toi, stifle_log); + return valid_at_time(&c.tbs_certificate(), toi, stifle_log); } } } diff --git a/certval/src/validator/name_constraints_set.rs b/certval/src/validator/name_constraints_set.rs index 7c73c7b..8769d2b 100644 --- a/certval/src/validator/name_constraints_set.rs +++ b/certval/src/validator/name_constraints_set.rs @@ -198,7 +198,7 @@ impl NameConstraintsSet { /// `subject_within_excluded_subtrees` returns true if subject is within at least one excluded subtree /// known to self. pub fn subject_within_permitted_subtrees(&self, subject: &Name) -> bool { - if subject.0.is_empty() { + if subject.is_empty() { // NULL subjects get a free pass return true; } @@ -399,7 +399,7 @@ impl NameConstraintsSet { /// `subject_within_excluded_subtrees` returns true if subject is within at least one excluded subtree /// known to self. pub fn subject_within_excluded_subtrees(&self, subject: &Name) -> bool { - if subject.0.is_empty() { + if subject.is_empty() { // NULL subjects get a free pass return false; } diff --git a/certval/src/validator/path_validator.rs b/certval/src/validator/path_validator.rs index 9ee5f55..07f720d 100644 --- a/certval/src/validator/path_validator.rs +++ b/certval/src/validator/path_validator.rs @@ -98,7 +98,7 @@ pub fn validate_path_rfc5280( cpr.set_validation_status(PathValidationStatus::Valid); info!( "Successfully completed basic path validation checks for certificate issued to {}", - name_to_string(&cp.target.decoded_cert.tbs_certificate.subject) + name_to_string(&cp.target.decoded_cert.tbs_certificate().subject()) ); Ok(()) } @@ -233,11 +233,11 @@ pub fn check_validity( }; let target = &cp.target; - let target_ttl = valid_at_time(&target.decoded_cert.tbs_certificate, toi, false); + let target_ttl = valid_at_time(&target.decoded_cert.tbs_certificate(), toi, false); is_valid(target_ttl)?; for ca_cert in cp.intermediates.iter() { - let ca_ttl = valid_at_time(&ca_cert.decoded_cert.tbs_certificate, toi, false); + let ca_ttl = valid_at_time(&ca_cert.decoded_cert.tbs_certificate(), toi, false); is_valid(ca_ttl)?; } @@ -297,7 +297,7 @@ pub fn check_names( // Iterate over the list of intermediate CA certificates plus target to check name chaining for (pos, ca_cert) in v.iter().enumerate() { if !compare_names( - &ca_cert.decoded_cert.tbs_certificate.issuer, + &ca_cert.decoded_cert.tbs_certificate().issuer(), &working_issuer_name, ) { log_error_for_ca(ca_cert, "name chaining violation"); @@ -308,7 +308,7 @@ pub fn check_names( } if pos + 1 != certs_in_cert_path { - working_issuer_name = ca_cert.decoded_cert.tbs_certificate.subject.clone(); + working_issuer_name = ca_cert.decoded_cert.tbs_certificate().subject().clone(); } } @@ -317,9 +317,9 @@ pub fn check_names( let self_issued = is_self_issued(&ca_cert.decoded_cert); if (pos + 1) == certs_in_cert_path || !self_issued { - if !permitted_subtrees - .subject_within_permitted_subtrees(&ca_cert.decoded_cert.tbs_certificate.subject) - { + if !permitted_subtrees.subject_within_permitted_subtrees( + &ca_cert.decoded_cert.tbs_certificate().subject(), + ) { log_error_for_ca( ca_cert, "permitted name constraints violation for subject name", @@ -331,7 +331,7 @@ pub fn check_names( } if excluded_subtrees - .subject_within_excluded_subtrees(&ca_cert.decoded_cert.tbs_certificate.subject) + .subject_within_excluded_subtrees(&ca_cert.decoded_cert.tbs_certificate().subject()) { log_error_for_ca( ca_cert, @@ -579,8 +579,8 @@ pub fn check_critical_extensions( let mut ensure_criticals_processed = |cert: &PDVCertificate, err_str: &'static str| -> Result<()> { - if let Some(exts) = &cert.decoded_cert.tbs_certificate.extensions { - for ext in exts { + if let Some(exts) = &cert.decoded_cert.tbs_certificate().extensions() { + for ext in exts.as_slice() { if ext.critical && !processed_exts.contains(&ext.extn_id) { log_error_for_ca(cert, format!("{}: {}", err_str, ext.extn_id).as_str()); cpr.set_validation_status(PathValidationStatus::UnprocessedCriticalExtension); @@ -770,20 +770,20 @@ pub fn enforce_trust_anchor_constraints( match &ta.decoded_ta { TrustAnchorChoice::Certificate(c) => { - check_critical_extensions_from_ta(&c.tbs_certificate.extensions)?; + check_critical_extensions_from_ta(&c.tbs_certificate().extensions())?; } TrustAnchorChoice::TaInfo(tai) => { - check_critical_extensions_from_ta(&tai.extensions)?; + check_critical_extensions_from_ta(&tai.extensions.as_ref())?; } TrustAnchorChoice::TbsCertificate(tbs) => { - check_critical_extensions_from_ta(&tbs.extensions)?; + check_critical_extensions_from_ta(&tbs.extensions())?; } } Ok(mod_cps) } -fn check_critical_extensions_from_ta(exts: &Option) -> Result<()> { +fn check_critical_extensions_from_ta(exts: &Option<&Extensions>) -> Result<()> { let recognized_oids = [ ID_CE_BASIC_CONSTRAINTS, ID_CE_NAME_CONSTRAINTS, @@ -793,7 +793,7 @@ fn check_critical_extensions_from_ta(exts: &Option) -> Result<()> { ID_CE_INHIBIT_ANY_POLICY, ]; if let Some(exts) = exts { - for ext in exts { + for ext in exts.as_slice() { if ext.critical && !recognized_oids.contains(&ext.extn_id) { return Err(Error::Unrecognized); } @@ -828,15 +828,15 @@ pub fn verify_signatures( } }; - if cur_cert.decoded_cert.tbs_certificate.signature - != cur_cert.decoded_cert.signature_algorithm + if cur_cert.decoded_cert.tbs_certificate().signature() + != cur_cert.decoded_cert.signature_algorithm() { log_error_for_ca( cur_cert, format!( "signature algorithm mismatch: {:?} - {:?}", - cur_cert.decoded_cert.tbs_certificate.signature, - cur_cert.decoded_cert.signature_algorithm + cur_cert.decoded_cert.tbs_certificate().signature(), + cur_cert.decoded_cert.signature_algorithm() ) .as_str(), ); @@ -847,8 +847,8 @@ pub fn verify_signatures( let r = pe.verify_signature_message( pe, &defer_cert.tbs_field, - cur_cert.decoded_cert.signature.raw_bytes(), - &cur_cert.decoded_cert.tbs_certificate.signature, + cur_cert.decoded_cert.signature().raw_bytes(), + &cur_cert.decoded_cert.tbs_certificate().signature(), &working_spki, ); if let Err(e) = r { @@ -864,8 +864,8 @@ pub fn verify_signatures( working_spki = cur_cert .decoded_cert - .tbs_certificate - .subject_public_key_info + .tbs_certificate() + .subject_public_key_info() .clone(); } Ok(()) diff --git a/certval/src/validator/pdv_certificate.rs b/certval/src/validator/pdv_certificate.rs index a0f7472..218afee 100644 --- a/certval/src/validator/pdv_certificate.rs +++ b/certval/src/validator/pdv_certificate.rs @@ -141,7 +141,7 @@ impl ExtensionProcessing for PDVCertificate { return Ok(pe.get(oid)); } - if let Some(exts) = self.decoded_cert.tbs_certificate.extensions.as_ref() { + if let Some(exts) = self.decoded_cert.tbs_certificate().extensions().as_ref() { if let Some(i) = exts.iter().find(|&ext| ext.extn_id == *oid) { let v = i.extn_value.as_bytes(); match *oid { diff --git a/certval/src/validator/pdv_trust_anchor.rs b/certval/src/validator/pdv_trust_anchor.rs index 9369d65..087ab3b 100644 --- a/certval/src/validator/pdv_trust_anchor.rs +++ b/certval/src/validator/pdv_trust_anchor.rs @@ -224,7 +224,7 @@ impl ExtensionProcessing for PDVTrustAnchorChoice { } let exts = match &self.decoded_ta { - TrustAnchorChoice::Certificate(c) => &c.tbs_certificate.extensions, + TrustAnchorChoice::Certificate(c) => &c.tbs_certificate().extensions(), TrustAnchorChoice::TaInfo(tai) => { if let Some(cp) = &tai.cert_path { // TODO Support all TrustAnchorInfo overrides @@ -247,7 +247,7 @@ impl ExtensionProcessing for PDVTrustAnchorChoice { } if let Some(c) = &cp.certificate { - &c.tbs_certificate.extensions + &c.tbs_certificate().extensions() } else { &None } @@ -355,7 +355,7 @@ impl ExtensionProcessing for PDVTrustAnchorChoice { pub fn get_trust_anchor_name(ta: &TrustAnchorChoice) -> Result<&Name> { match ta { TrustAnchorChoice::Certificate(cert) => { - return Ok(&cert.tbs_certificate.subject); + return Ok(&cert.tbs_certificate().subject()); } TrustAnchorChoice::TaInfo(tai) => { if let Some(cert_path) = &tai.cert_path { @@ -363,7 +363,7 @@ pub fn get_trust_anchor_name(ta: &TrustAnchorChoice) -> Result<&Name> { } } TrustAnchorChoice::TbsCertificate(cert) => { - return Ok(&cert.subject); + return Ok(&cert.subject()); } } Err(Error::NotFound) diff --git a/certval/tests/path_validator.rs b/certval/tests/path_validator.rs index 748a625..9509c2a 100644 --- a/certval/tests/path_validator.rs +++ b/certval/tests/path_validator.rs @@ -22,7 +22,7 @@ fn prehash_required() { &parts.tbs_field, parts.signature.raw_bytes(), &parts.signature_algorithm, - &ca_cert.tbs_certificate.subject_public_key_info, + &ca_cert.tbs_certificate().subject_public_key_info(), ) .unwrap(); } @@ -219,7 +219,7 @@ fn wire_certchain_works() { )) .unwrap(); cert_source.push(certval::CertFile { - filename: format!("Intermediate CA #1 [{}]", cert.tbs_certificate.subject), + filename: format!("Intermediate CA #1 [{}]", cert.tbs_certificate().subject()), bytes: cert.to_der().unwrap(), }); diff --git a/pittv3/src/no_std_utils.rs b/pittv3/src/no_std_utils.rs index ceb8974..bdf4ef6 100644 --- a/pittv3/src/no_std_utils.rs +++ b/pittv3/src/no_std_utils.rs @@ -54,7 +54,11 @@ pub(crate) fn validate_cert( info!( "Validating {} certificate path for {}", (path.intermediates.len() + 2), - path.target.decoded_cert.tbs_certificate.subject.to_string() + path.target + .decoded_cert + .tbs_certificate() + .subject() + .to_string() ); let mut cpr = CertificationPathResults::new(); diff --git a/pittv3/src/pitt_log.rs b/pittv3/src/pitt_log.rs index a1a84e2..84670ca 100644 --- a/pittv3/src/pitt_log.rs +++ b/pittv3/src/pitt_log.rs @@ -200,7 +200,7 @@ pub fn log_cert_details(pe: &PkiEnvironment, f: &mut File, cert: &PDVCertificate f.write_all( format!( "\t\t* Issuer Name: {}\n", - name_to_string(&cert.decoded_cert.tbs_certificate.issuer) + name_to_string(&cert.decoded_cert.tbs_certificate().issuer()) ) .as_bytes(), ) @@ -208,7 +208,7 @@ pub fn log_cert_details(pe: &PkiEnvironment, f: &mut File, cert: &PDVCertificate f.write_all( format!( "\t\t* Subject Name: {}\n", - name_to_string(&cert.decoded_cert.tbs_certificate.subject) + name_to_string(&cert.decoded_cert.tbs_certificate().subject()) ) .as_bytes(), ) @@ -216,7 +216,12 @@ pub fn log_cert_details(pe: &PkiEnvironment, f: &mut File, cert: &PDVCertificate f.write_all( format!( "\t\t* Serial Number: 0x{}\n", - buffer_to_hex(cert.decoded_cert.tbs_certificate.serial_number.as_bytes()) + buffer_to_hex( + cert.decoded_cert + .tbs_certificate() + .serial_number() + .as_bytes() + ) ) .as_bytes(), ) @@ -226,8 +231,8 @@ pub fn log_cert_details(pe: &PkiEnvironment, f: &mut File, cert: &PDVCertificate "\t\t* Not Before: {}\n", &cert .decoded_cert - .tbs_certificate - .validity + .tbs_certificate() + .validity() .not_before .to_string() ) @@ -239,8 +244,8 @@ pub fn log_cert_details(pe: &PkiEnvironment, f: &mut File, cert: &PDVCertificate "\t\t* Not After: {}\n", &cert .decoded_cert - .tbs_certificate - .validity + .tbs_certificate() + .validity() .not_after .to_string() ) @@ -253,8 +258,8 @@ pub fn log_cert_details(pe: &PkiEnvironment, f: &mut File, cert: &PDVCertificate pe.oid_lookup( &cert .decoded_cert - .tbs_certificate - .subject_public_key_info + .tbs_certificate() + .subject_public_key_info() .algorithm .oid ) @@ -267,8 +272,8 @@ pub fn log_cert_details(pe: &PkiEnvironment, f: &mut File, cert: &PDVCertificate "\t\t* Public key size: {} bytes\n", &cert .decoded_cert - .tbs_certificate - .subject_public_key_info + .tbs_certificate() + .subject_public_key_info() .subject_public_key .raw_bytes() .len() @@ -280,7 +285,7 @@ pub fn log_cert_details(pe: &PkiEnvironment, f: &mut File, cert: &PDVCertificate f.write_all( format!( "\t\t* Signature algorithm: {}\n", - pe.oid_lookup(&cert.decoded_cert.tbs_certificate.signature.oid) + pe.oid_lookup(&cert.decoded_cert.tbs_certificate().signature().oid) ) .as_bytes(), ) diff --git a/pittv3/src/std_utils.rs b/pittv3/src/std_utils.rs index 385be96..07c58b8 100644 --- a/pittv3/src/std_utils.rs +++ b/pittv3/src/std_utils.rs @@ -87,7 +87,11 @@ pub(crate) async fn validate_cert_file( info!( "Validating {} certificate path for {}", (path.intermediates.len() + 2), - path.target.decoded_cert.tbs_certificate.subject.to_string() + path.target + .decoded_cert + .tbs_certificate() + .subject() + .to_string() ); let mut cpr = CertificationPathResults::new(); @@ -333,7 +337,7 @@ pub fn cleanup_certs( match parse_cert(target.as_slice(), filename) { Ok(tc) => { if !t.is_disabled() { - let r = valid_at_time(&tc.decoded_cert.tbs_certificate, t, true); + let r = valid_at_time(&tc.decoded_cert.tbs_certificate(), t, true); if let Err(_e) = r { delete_file = true; error!( diff --git a/support/x509-limbo-tests/Cargo.lock b/support/x509-limbo-tests/Cargo.lock index 16827ba..d0e09c5 100644 --- a/support/x509-limbo-tests/Cargo.lock +++ b/support/x509-limbo-tests/Cargo.lock @@ -258,7 +258,7 @@ checksum = "6bdf600c45bd958cf2945c445264471cca8b6c8e67bc87b71affd6d7e5682621" [[package]] name = "cms" version = "0.3.0-pre" -source = "git+https://github.com/RustCrypto/formats.git#1b49eb7afc6c23ce403aa3d4d2440864010bd566" +source = "git+https://github.com/RustCrypto/formats.git#d801da61680eaee6775d5c18921b862b513773f1" dependencies = [ "const-oid", "der", @@ -688,9 +688,9 @@ dependencies = [ [[package]] name = "heck" -version = "0.5.0" +version = "0.4.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2304e00983f87ffb38b55b444b5e3b60a884b5d30c0fca7d82fe33449bbe55ea" +checksum = "95505c38b4572b2d910cecb0281560f54b440a19336cbbcb27bf6ce6adc6f5a8" [[package]] name = "hermit-abi" @@ -878,7 +878,7 @@ name = "limbo-harness-support" version = "0.1.0" dependencies = [ "chrono", - "regress 0.10.1", + "regress 0.9.1", "serde", "serde_json", "typify", @@ -1340,9 +1340,9 @@ checksum = "7a66a03ae7c801facd77a29370b4faec201768915ac14a721ba36f20bc9c209b" [[package]] name = "regress" -version = "0.9.1" +version = "0.8.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0eae2a1ebfecc58aff952ef8ccd364329abe627762f5bf09ff42eb9d98522479" +checksum = "4f5f39ba4513916c1b2657b72af6ec671f091cd637992f58d0ede5cae4e5dea0" dependencies = [ "hashbrown", "memchr", @@ -1350,9 +1350,9 @@ dependencies = [ [[package]] name = "regress" -version = "0.10.1" +version = "0.9.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1541daf4e4ed43a0922b7969bdc2170178bcacc5dabf7e39bc508a9fa3953a7a" +checksum = "0eae2a1ebfecc58aff952ef8ccd364329abe627762f5bf09ff42eb9d98522479" dependencies = [ "hashbrown", "memchr", @@ -1569,9 +1569,6 @@ name = "semver" version = "1.0.23" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "61697e0a1c7e512e84a621326239844a24d8207b4669b41bc18b32ea5cbf988b" -dependencies = [ - "serde", -] [[package]] name = "serde" @@ -1914,9 +1911,9 @@ checksum = "42ff0bf0c66b8238c6f3b578df37d0b7848e55df8577b3f74f92a69acceeb825" [[package]] name = "typify" -version = "0.1.0" +version = "0.0.16" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "adb6beec125971dda80a086f90b4a70f60f222990ce4d63ad0fc140492f53444" +checksum = "5c61e9db210bbff218e6535c664b37ec47da449169b98e7866d0580d0db75529" dependencies = [ "typify-impl", "typify-macro", @@ -1924,18 +1921,16 @@ dependencies = [ [[package]] name = "typify-impl" -version = "0.1.0" +version = "0.0.16" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "93bbb24e990654aff858d80fee8114f4322f7d7a1b1ecb45129e2fcb0d0ad5ae" +checksum = "95e32f38493804f88e2dc7a5412eccd872ea5452b4db9b0a77de4df180f2a87e" dependencies = [ "heck", "log", "proc-macro2", "quote", - "regress 0.9.1", + "regress 0.8.0", "schemars", - "semver", - "serde", "serde_json", "syn", "thiserror", @@ -1944,14 +1939,13 @@ dependencies = [ [[package]] name = "typify-macro" -version = "0.1.0" +version = "0.0.16" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f8e6491896e955692d68361c68db2b263e3bec317ec0b684e0e2fa882fb6e31e" +checksum = "cc09508b72f63d521d68e42c7f172c7416d67986df44b3c7d1f7f9963948ed32" dependencies = [ "proc-macro2", "quote", "schemars", - "semver", "serde", "serde_json", "serde_tokenstream", @@ -2289,7 +2283,7 @@ dependencies = [ [[package]] name = "x509-cert" version = "0.3.0-pre" -source = "git+https://github.com/RustCrypto/formats.git#1b49eb7afc6c23ce403aa3d4d2440864010bd566" +source = "git+https://github.com/RustCrypto/formats.git#d801da61680eaee6775d5c18921b862b513773f1" dependencies = [ "const-oid", "der", @@ -2300,7 +2294,7 @@ dependencies = [ [[package]] name = "x509-ocsp" version = "0.3.0-pre" -source = "git+https://github.com/RustCrypto/formats.git#1b49eb7afc6c23ce403aa3d4d2440864010bd566" +source = "git+https://github.com/RustCrypto/formats.git#d801da61680eaee6775d5c18921b862b513773f1" dependencies = [ "const-oid", "der",