x509-cert: wip: add certificate builder

Author: baloo

x509-cert/Cargo.toml

@@ -30,6 +30,7 @@ rstest = "0.12"
 
 [features]
 alloc = ["der/alloc"]
+builder = ["std"]
 std = ["der/std", "spki/std"]
 pem = ["alloc", "der/pem"]
 

x509-cert/src/builder.rs

@@ -0,0 +1,167 @@
+use std::println;
+use std::vec::Vec;
+
+use crate::{
+    certificate::{Certificate, TbsCertificate, Version},
+    der::{
+        asn1::{BitString, BitStringRef, UIntRef},
+        Decode, Encode, SliceReader,
+    },
+    name::Name,
+    spki::{AlgorithmIdentifier, SubjectPublicKeyInfo},
+    time::Validity,
+};
+
+pub type Result<T> = core::result::Result<T, der::Error>;
+
+pub struct UniqueIds {
+    pub issuer_unique_id: Option<BitString>,
+    pub subject_unique_id: Option<BitString>,
+}
+
+impl UniqueIds {
+    fn to_vec(&self) -> Result<(Option<Vec<u8>>, Option<Vec<u8>>)> {
+        Ok((
+            self.issuer_unique_id
+                .as_ref()
+                .map(|bs| bs.to_vec())
+                .transpose()?,
+            self.subject_unique_id
+                .as_ref()
+                .map(|bs| bs.to_vec())
+                .transpose()?,
+        ))
+    }
+}
+
+pub enum CertificateVersion {
+    V1,
+    V2(UniqueIds),
+    V3(UniqueIds),
+}
+
+impl Into<Version> for CertificateVersion {
+    fn into(self) -> Version {
+        use CertificateVersion::*;
+        match self {
+            V1 => Version::V1,
+            V2(_) => Version::V2,
+            V3(_) => Version::V3,
+        }
+    }
+}
+
+pub struct CertificateBuilder<SA: CertSignatureAlgorithm> {
+    version: Version,
+    serial_number: Vec<u8>,
+    signature_alg: Vec<u8>,
+    issuer: Vec<u8>,
+    validity: Validity,
+    subject: Vec<u8>,
+    subject_public_key_info: Vec<u8>,
+    issuer_unique_id: Option<Vec<u8>>,
+    subject_unique_id: Option<Vec<u8>>,
+
+    extensions: Vec<Vec<u8>>,
+
+    // Buffer used to store the signature once the certificate is built.
+    // It needs to be co-located with the rest.
+    signature: Vec<u8>,
+
+    signature_alg_marker: core::marker::PhantomData<SA>,
+}
+
+impl<SA: CertSignatureAlgorithm> CertificateBuilder<SA> {
+    pub fn new(
+        version: CertificateVersion,
+        serial_number: UIntRef<'_>,
+        signature_alg: SA,
+        validity: Validity,
+        issuer: Name<'_>,
+        subject: Name<'_>,
+        subject_public_key_info: SubjectPublicKeyInfo<'_>,
+    ) -> Result<Self> {
+        let signature_alg = signature_alg.signature_algorithm().to_vec()?;
+        let issuer = issuer.to_vec()?;
+        let subject = subject.to_vec()?;
+        let serial_number = serial_number.to_vec()?;
+        let subject_public_key_info = subject_public_key_info.to_vec()?;
+
+        let (version, (issuer_unique_id, subject_unique_id)) = match version {
+            CertificateVersion::V1 => (Version::V1, (None, None)),
+            CertificateVersion::V2(uids) => (Version::V2, uids.to_vec()?),
+            CertificateVersion::V3(uids) => (Version::V3, uids.to_vec()?),
+        };
+
+        let signature = Default::default();
+        let extensions = Default::default();
+
+        Ok(Self {
+            version,
+            issuer_unique_id,
+            subject_unique_id,
+            serial_number,
+            issuer,
+            subject,
+            validity,
+            subject_public_key_info,
+            signature_alg,
+            signature_alg_marker: core::marker::PhantomData,
+            signature,
+            extensions,
+        })
+    }
+
+    pub fn build<S>(&mut self, signer: S) -> Result<Certificate<'_>>
+    where
+        S: Signer<Alg = SA>,
+    {
+        let signature_alg =
+            AlgorithmIdentifier::decode(&mut SliceReader::new(&self.signature_alg)?)?;
+        let issuer = Name::decode(&mut SliceReader::new(&self.issuer)?)?;
+        let serial_number = UIntRef::new(&self.serial_number).unwrap();
+        let subject = Name::decode(&mut SliceReader::new(&self.subject)?)?;
+        let subject_public_key_info =
+            SubjectPublicKeyInfo::decode(&mut SliceReader::new(&self.subject_public_key_info)?)?;
+        let issuer_unique_id =
+            BitStringRef::decode(&mut SliceReader::new(&self.issuer_unique_id)?)?;
+        let subject_unique_id =
+            BitStringRef::decode(&mut SliceReader::new(&self.subject_unique_id)?)?;
+
+        let tbs_certificate = TbsCertificate {
+            version: self.version,
+            serial_number,
+            signature: signature_alg,
+            issuer,
+            validity: self.validity,
+            subject,
+            subject_public_key_info,
+            issuer_unique_id,
+            subject_unique_id,
+            extensions: None,
+        };
+
+        self.signature = signer.sign(&tbs_certificate);
+        let signature = BitStringRef::from_bytes(&self.signature)?;
+
+        let cert = Certificate {
+            tbs_certificate,
+            signature_algorithm: signature_alg,
+            signature,
+        };
+
+        println!("cert: {:?}", cert);
+
+        Ok(cert)
+    }
+}
+
+pub trait CertSignatureAlgorithm {
+    fn signature_algorithm(&self) -> AlgorithmIdentifier<'_>;
+}
+
+pub trait Signer {
+    type Alg: CertSignatureAlgorithm;
+
+    fn sign(&self, input: &TbsCertificate<'_>) -> Vec<u8>;
+}

x509-cert/src/constants.rs

@@ -0,0 +1,16 @@
+use crate::{builder::CertSignatureAlgorithm, der::asn1, spki::AlgorithmIdentifier};
+
+pub struct RsaWithSha256;
+
+impl RsaWithSha256 {
+    const OID: asn1::ObjectIdentifier = asn1::ObjectIdentifier::new_unwrap("1.2.840.113549.1.1.11");
+}
+
+impl CertSignatureAlgorithm for RsaWithSha256 {
+    fn signature_algorithm(&self) -> AlgorithmIdentifier<'_> {
+        AlgorithmIdentifier {
+            oid: RsaWithSha256::OID.clone(),
+            parameters: None,
+        }
+    }
+}

x509-cert/src/lib.rs

@@ -23,7 +23,11 @@ mod macros;
 
 pub mod anchor;
 pub mod attr;
+#[cfg(feature = "builder")]
+pub mod builder;
 pub mod certificate;
+#[cfg(feature = "builder")]
+pub mod constants;
 pub mod crl;
 pub mod ext;
 pub mod name;