x509-cert: add SubjectKeyIdentifier and AuthorityKeyIdentifier conversions

Author: baloo

x509-cert/src/builder.rs

@@ -2,13 +2,12 @@
 
 use alloc::vec;
 use core::fmt;
-use der::{
-    asn1::{BitString, OctetString},
-    Encode,
-};
-use sha1::{Digest, Sha1};
+use der::{asn1::BitString, referenced::OwnedToRef, Encode};
 use signature::{Keypair, SignatureEncoding, Signer};
-use spki::{DynSignatureAlgorithmIdentifier, EncodePublicKey, SubjectPublicKeyInfoOwned};
+use spki::{
+    DynSignatureAlgorithmIdentifier, EncodePublicKey, SubjectPublicKeyInfoOwned,
+    SubjectPublicKeyInfoRef,
+};
 
 use crate::{
     certificate::{Certificate, TbsCertificate, Version},
@@ -112,8 +111,8 @@ impl Profile {
 
     fn build_extensions(
         &self,
-        spk: &SubjectPublicKeyInfoOwned,
-        issuer_spk: &SubjectPublicKeyInfoOwned,
+        spk: SubjectPublicKeyInfoRef<'_>,
+        issuer_spk: SubjectPublicKeyInfoRef<'_>,
         tbs: &TbsCertificate,
     ) -> Result<vec::Vec<Extension>> {
         #[cfg(feature = "hazmat")]
@@ -124,27 +123,14 @@ impl Profile {
 
         let mut extensions: vec::Vec<Extension> = vec::Vec::new();
 
-        extensions.push({
-            let result = Sha1::digest(spk.subject_public_key.raw_bytes());
-            SubjectKeyIdentifier(OctetString::new(result.to_vec())?).to_extension(tbs)?
-        });
+        extensions.push(SubjectKeyIdentifier::try_from(spk)?.to_extension(tbs)?);
 
         // Build Authority Key Identifier
         match self {
             Profile::Root => {}
             _ => {
-                let mut hasher = Sha1::new();
-                hasher.update(issuer_spk.subject_public_key.raw_bytes());
-                let result = hasher.finalize();
-
-                extensions.push(
-                    AuthorityKeyIdentifier {
-                        key_identifier: Some(OctetString::new(result.to_vec())?),
-                        authority_cert_issuer: None,
-                        authority_cert_serial_number: None,
-                    }
-                    .to_extension(tbs)?,
-                );
+                extensions
+                    .push(AuthorityKeyIdentifier::try_from(issuer_spk.clone())?.to_extension(tbs)?);
             }
         }
 
@@ -301,8 +287,11 @@ where
         };
 
         if tbs.version == Version::V3 {
-            let extensions =
-                profile.build_extensions(&tbs.subject_public_key_info, &signer_pub, &tbs)?;
+            let extensions = profile.build_extensions(
+                tbs.subject_public_key_info.owned_to_ref(),
+                signer_pub.owned_to_ref(),
+                &tbs,
+            )?;
             if !extensions.is_empty() {
                 tbs.extensions = Some(extensions);
             }

x509-cert/src/ext/pkix.rs

@@ -49,6 +49,10 @@ impl AssociatedOid for SubjectKeyIdentifier {
 
 impl_newtype!(SubjectKeyIdentifier, OctetString);
 impl_extension!(SubjectKeyIdentifier, critical = false);
+impl_key_identifier!(
+    SubjectKeyIdentifier,
+    (|result: &[u8]| Ok(Self(OctetString::new(result)?)))
+);
 
 /// SubjectAltName as defined in [RFC 5280 Section 4.2.1.6].
 ///

x509-cert/src/ext/pkix/authkeyid.rs

@@ -19,7 +19,7 @@ use der::Sequence;
 /// ```
 ///
 /// [RFC 5280 Section 4.2.1.1]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1
-#[derive(Clone, Debug, Eq, PartialEq, Sequence)]
+#[derive(Clone, Debug, Eq, PartialEq, Sequence, Default)]
 #[allow(missing_docs)]
 pub struct AuthorityKeyIdentifier {
     #[asn1(context_specific = "0", tag_mode = "IMPLICIT", optional = "true")]
@@ -37,3 +37,10 @@ impl AssociatedOid for AuthorityKeyIdentifier {
 }
 
 impl_extension!(AuthorityKeyIdentifier, critical = false);
+impl_key_identifier!(
+    AuthorityKeyIdentifier,
+    (|result: &[u8]| Ok(Self {
+        key_identifier: Some(OctetString::new(result)?),
+        ..Default::default()
+    }))
+);

x509-cert/src/macros.rs

@@ -92,3 +92,43 @@ macro_rules! impl_extension {
         }
     };
 }
+
+/// Implements conversions between [`spki::SubjectPublicKeyInfo`] and [`SubjectKeyIdentifier`] or [`AuthorityKeyIdentifier`]
+macro_rules! impl_key_identifier {
+    ($newtype:ty, $out:expr) => {
+        #[cfg(feature = "builder")]
+        mod builder_key_identifier {
+            use super::*;
+            use der::asn1::OctetString;
+            use sha1::{Digest, Sha1};
+            use spki::SubjectPublicKeyInfoRef;
+
+            impl<'a> TryFrom<SubjectPublicKeyInfoRef<'a>> for $newtype {
+                type Error = der::Error;
+
+                fn try_from(issuer: SubjectPublicKeyInfoRef<'a>) -> Result<Self, Self::Error> {
+                    // https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.2
+                    //
+                    //  For CA certificates, subject key identifiers SHOULD be derived from
+                    //  the public key or a method that generates unique values.  Two common
+                    //  methods for generating key identifiers from the public key are:
+
+                    //     (1) The keyIdentifier is composed of the 160-bit SHA-1 hash of the
+                    //          value of the BIT STRING subjectPublicKey (excluding the tag,
+                    //          length, and number of unused bits).
+
+                    //     (2) The keyIdentifier is composed of a four-bit type field with
+                    //          the value 0100 followed by the least significant 60 bits of
+                    //          the SHA-1 hash of the value of the BIT STRING
+                    //          subjectPublicKey (excluding the tag, length, and number of
+                    //          unused bits).
+
+                    // Here we're using the first method
+
+                    let result = Sha1::digest(issuer.subject_public_key.raw_bytes());
+                    $out(result.as_slice())
+                }
+            }
+        }
+    };
+}