document the api

Author: baloo

x509-cert/src/builder.rs

@@ -1,13 +1,19 @@
+//! Constants for X509 signature algorithm
+
 use crate::{builder::CertSignatureAlgorithm, der::asn1, spki::AlgorithmIdentifier};
 
+/// sha256WithRSAEncryption  OBJECT IDENTIFIER  ::=  { iso(1)
+///        member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 11 }
+///
+/// https://datatracker.ietf.org/doc/html/rfc5754#section-3.2
 pub struct RsaWithSha256;
 
 impl RsaWithSha256 {
     const OID: asn1::ObjectIdentifier = asn1::ObjectIdentifier::new_unwrap("1.2.840.113549.1.1.11");
 }
 
 impl CertSignatureAlgorithm for RsaWithSha256 {
-    fn signature_algorithm(&self) -> AlgorithmIdentifier<'_> {
+    fn identifier(&self) -> AlgorithmIdentifier<'_> {
         AlgorithmIdentifier {
             oid: RsaWithSha256::OID.clone(),
             parameters: Some(asn1::AnyRef::NULL),

x509-cert/src/constants.rs

@@ -1,5 +1,6 @@
 //! Standardized X.509 Certificate Extensions
 
+use const_oid::AssociatedOid;
 use der::Sequence;
 use spki::ObjectIdentifier;
 
@@ -42,3 +43,23 @@ pub struct Extension<'a> {
 ///
 /// [RFC 5280 Section 4.1.2.9]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.9
 pub type Extensions<'a> = alloc::vec::Vec<Extension<'a>>;
+
+/// Trait to be implemented by extensions to allow them to be formated as x509 v3 extensions by
+/// builder.
+pub trait AsExtension: AssociatedOid + der::Encode {
+    /// Should the extension be marked critical
+    const CRITICAL: bool;
+
+    /// Returns the der representation of the Extension.
+    fn to_extension_vec(&self) -> Result<alloc::vec::Vec<u8>, der::Error> {
+        use der::Encode;
+        let content = self.to_vec()?;
+
+        Extension {
+            extn_id: <Self as AssociatedOid>::OID,
+            critical: Self::CRITICAL,
+            extn_value: &content,
+        }
+        .to_vec()
+    }
+}

x509-cert/src/ext.rs

@@ -48,6 +48,7 @@ impl<'a> AssociatedOid for SubjectKeyIdentifier<'a> {
 }
 
 impl_newtype!(SubjectKeyIdentifier<'a>, OctetStringRef<'a>);
+impl_extension!(SubjectKeyIdentifier<'a>);
 
 /// SubjectAltName as defined in [RFC 5280 Section 4.2.1.6].
 ///
@@ -64,6 +65,7 @@ impl<'a> AssociatedOid for SubjectAltName<'a> {
 }
 
 impl_newtype!(SubjectAltName<'a>, name::GeneralNames<'a>);
+impl_extension!(SubjectAltName<'a>);
 
 /// IssuerAltName as defined in [RFC 5280 Section 4.2.1.7].
 ///
@@ -80,6 +82,7 @@ impl<'a> AssociatedOid for IssuerAltName<'a> {
 }
 
 impl_newtype!(IssuerAltName<'a>, name::GeneralNames<'a>);
+impl_extension!(IssuerAltName<'a>);
 
 /// SubjectDirectoryAttributes as defined in [RFC 5280 Section 4.2.1.8].
 ///

x509-cert/src/ext/pkix.rs

@@ -34,3 +34,5 @@ pub struct AuthorityKeyIdentifier<'a> {
 impl<'a> AssociatedOid for AuthorityKeyIdentifier<'a> {
     const OID: ObjectIdentifier = ID_CE_AUTHORITY_KEY_IDENTIFIER;
 }
+
+impl_extension!(AuthorityKeyIdentifier<'a>);

x509-cert/src/ext/pkix/authkeyid.rs

@@ -22,3 +22,5 @@ pub struct BasicConstraints {
 impl AssociatedOid for BasicConstraints {
     const OID: ObjectIdentifier = ID_CE_BASIC_CONSTRAINTS;
 }
+
+impl_extension!(BasicConstraints, critical = true);

x509-cert/src/ext/pkix/constraints/basic.rs

@@ -52,6 +52,7 @@ impl AssociatedOid for KeyUsage {
 }
 
 impl_newtype!(KeyUsage, FlagSet<KeyUsages>);
+impl_extension!(KeyUsage, critical = true);
 
 /// ExtKeyUsageSyntax as defined in [RFC 5280 Section 4.2.1.12].
 ///

x509-cert/src/ext/pkix/keyusage.rs

@@ -71,3 +71,16 @@ macro_rules! impl_newtype {
         }
     };
 }
+
+/// Implements the AsExtension traits for every defined Extension paylooad
+macro_rules! impl_extension {
+    ($newtype:ty) => {
+        impl_extension!($newtype, critical = false);
+    };
+    ($newtype:ty, critical = $critical:expr) => {
+        #[allow(unused_lifetimes)]
+        impl<'a> crate::ext::AsExtension for $newtype {
+            const CRITICAL: bool = $critical;
+        }
+    };
+}

x509-cert/src/macros.rs

@@ -39,7 +39,7 @@ const ZLINT_CONFIG: &str = &"
 Rounds = 100
 ";
 
-fn check_certificate(cert: &Certificate) {
+fn check_certificate(cert: &Certificate, ignored: &[&str]) {
     let tmp_dir = tempdir().expect("create tempdir");
     let config_path = tmp_dir.path().join("config.toml");
     let cert_path = tmp_dir.path().join("cert.pem");
@@ -78,7 +78,6 @@ fn check_certificate(cert: &Certificate) {
     let output: zlint::LintResult =
         serde_json::from_slice(&output_buf).expect("parse zlint output");
 
-    let ignored = &[];
     assert!(output.check_lints(ignored));
 }
 
@@ -103,20 +102,21 @@ fn root_ca_certificate() {
 
     let mut builder = CertificateBuilder::new(
         profile,
-        CertificateVersion::V3 { uids },
+        CertificateVersion::V3(uids),
         serial_number,
-        constants::RsaWithSha256,
         validity,
         subject,
         pub_key,
+        &RsaCertSigner,
     )
     .expect("Create certificate");
 
-    let certificate = builder.build(RsaCertSigner).unwrap();
+    let certificate = builder.build().unwrap();
 
     println!("{}", openssl::text_output(&certificate));
 
-    check_certificate(&certificate);
+    let ignored = &[];
+    check_certificate(&certificate, ignored);
 }
 
 #[test]
@@ -147,20 +147,29 @@ fn sub_ca_certificate() {
 
     let mut builder = CertificateBuilder::new(
         profile,
-        CertificateVersion::V3 { uids },
+        CertificateVersion::V3(uids),
         serial_number,
-        constants::RsaWithSha256,
+        //constants::RsaWithSha256,
         validity,
         subject,
         pub_key,
+        &RsaCertSigner,
     )
     .expect("Create certificate");
 
-    let certificate = builder.build(RsaCertSigner).unwrap();
+    let certificate = builder.build().unwrap();
 
     println!("{}", openssl::text_output(&certificate));
 
-    check_certificate(&certificate);
+    // TODO(baloo): not too sure we should tackle those in this API.
+    let ignored = &[
+        "w_sub_ca_aia_missing",
+        "e_sub_ca_crl_distribution_points_missing",
+        "e_sub_ca_certificate_policies_missing",
+        "w_sub_ca_aia_does_not_contain_issuing_ca_url",
+    ];
+
+    check_certificate(&certificate, ignored);
 }
 
 const RSA_2048_PRIV_DER_EXAMPLE: &[u8] = include_bytes!("examples/rsa2048-priv.der");
@@ -170,6 +179,14 @@ struct RsaCertSigner;
 impl Signer for RsaCertSigner {
     type Alg = constants::RsaWithSha256;
 
+    fn signature_algorithm(&self) -> Self::Alg {
+        constants::RsaWithSha256
+    }
+
+    fn public_key(&self) -> SubjectPublicKeyInfo {
+        SubjectPublicKeyInfo::try_from(RSA_2048_DER_EXAMPLE).expect("get rsa pub key")
+    }
+
     fn sign(&self, input: &TbsCertificate<'_>) -> Vec<u8> {
         use rsa::pkcs1v15::SigningKey;
         use rsa::signature::{RandomizedSigner, Signature};