x509-cert: provide parsing profiles

This allow the user to relax checks when parsing certificate and
cover for non rfc5280 compliant x509 certificates.

Author: baloo

der/derive/src/attributes.rs

@@ -79,6 +79,9 @@ pub(crate) struct FieldAttrs {
 
     /// Is the inner type constructed?
     pub constructed: bool,
+
+    /// Is the type skipped?
+    pub skipped: Option<Path>,
 }
 
 impl FieldAttrs {
@@ -98,6 +101,7 @@ impl FieldAttrs {
         let mut optional = None;
         let mut tag_mode = None;
         let mut constructed = None;
+        let mut skipped = None;
 
         let mut parsed_attrs = Vec::new();
         AttrNameValue::from_attributes(attrs, &mut parsed_attrs);
@@ -154,6 +158,15 @@ impl FieldAttrs {
                 }
 
                 constructed = Some(ty);
+            // `skipped` attribute
+            } else if attr.parse_value::<String>("skipped").is_some() {
+                if skipped.is_some() {
+                    abort!(attr.name, "duplicate ASN.1 `skipped` attribute");
+                }
+
+                skipped = Some(attr.value.parse().unwrap_or_else(|e| {
+                    abort!(attr.value, "error parsing ASN.1 `skipped` attribute: {}", e)
+                }));
             } else {
                 abort!(
                     attr.name,
@@ -171,6 +184,7 @@ impl FieldAttrs {
             optional: optional.unwrap_or_default(),
             tag_mode: tag_mode.unwrap_or(type_attrs.tag_mode),
             constructed: constructed.unwrap_or_default(),
+            skipped,
         }
     }
 

der/derive/src/sequence.rs

@@ -8,7 +8,7 @@ use field::SequenceField;
 use proc_macro2::TokenStream;
 use proc_macro_error::abort;
 use quote::quote;
-use syn::{DeriveInput, Ident, Lifetime};
+use syn::{DeriveInput, Ident, Lifetime, TypeParam};
 
 /// Derive the `Sequence` trait for a struct
 pub(crate) struct DeriveSequence {
@@ -18,6 +18,9 @@ pub(crate) struct DeriveSequence {
     /// Lifetime of the struct.
     lifetime: Option<Lifetime>,
 
+    /// Type param of the struct.
+    type_param: Option<TypeParam>,
+
     /// Fields of the struct.
     fields: Vec<SequenceField>,
 }
@@ -40,6 +43,8 @@ impl DeriveSequence {
             .next()
             .map(|lt| lt.lifetime.clone());
 
+        let type_param = input.generics.type_params().next().cloned();
+
         let type_attrs = TypeAttrs::parse(&input.attrs);
 
         let fields = data
@@ -51,6 +56,7 @@ impl DeriveSequence {
         Self {
             ident: input.ident,
             lifetime,
+            type_param,
             fields,
         }
     }
@@ -72,6 +78,13 @@ impl DeriveSequence {
             .map(|_| lifetime.clone())
             .unwrap_or_default();
 
+        let type_params = self.type_param.as_ref().map(|t| {
+            let mut t = t.clone();
+            t.default = None;
+            t
+        });
+        let type_params_names = self.type_param.as_ref().map(|t| t.ident.clone());
+
         let mut decode_body = Vec::new();
         let mut decode_result = Vec::new();
         let mut encoded_lengths = Vec::new();
@@ -81,13 +94,14 @@ impl DeriveSequence {
             decode_body.push(field.to_decode_tokens());
             decode_result.push(&field.ident);
 
-            let field = field.to_encode_tokens();
-            encoded_lengths.push(quote!(#field.encoded_len()?));
-            encode_fields.push(quote!(#field.encode(writer)?;));
+            if let Some(field) = field.to_encode_tokens() {
+                encoded_lengths.push(quote!(#field.encoded_len()?));
+                encode_fields.push(quote!(#field.encode(writer)?;));
+            }
         }
 
         quote! {
-            impl<#lifetime> ::der::DecodeValue<#lifetime> for #ident<#lt_params> {
+            impl<#lifetime, #type_params> ::der::DecodeValue<#lifetime> for #ident<#lt_params #type_params_names> {
                 fn decode_value<R: ::der::Reader<#lifetime>>(
                     reader: &mut R,
                     header: ::der::Header,
@@ -104,7 +118,7 @@ impl DeriveSequence {
                 }
             }
 
-            impl<#lifetime> ::der::EncodeValue for #ident<#lt_params> {
+            impl<#lifetime, #type_params> ::der::EncodeValue for #ident<#lt_params #type_params_names> {
                 fn value_len(&self) -> ::der::Result<::der::Length> {
                     use ::der::Encode as _;
 
@@ -122,7 +136,7 @@ impl DeriveSequence {
                 }
             }
 
-            impl<#lifetime> ::der::Sequence<#lifetime> for #ident<#lt_params> {}
+            impl<#lifetime, #type_params> ::der::Sequence<#lifetime> for #ident<#lt_params #type_params_names> {}
         }
     }
 }

der/derive/src/sequence/field.rs

@@ -72,11 +72,22 @@ impl SequenceField {
             }
         }
 
+        if let Some(default) = &self.attrs.skipped {
+            let ident = &self.ident;
+            return quote! {
+                let #ident = #default();
+            };
+        }
+
         lowerer.into_tokens(&self.ident)
     }
 
     /// Derive code for encoding a field of a sequence.
-    pub(super) fn to_encode_tokens(&self) -> TokenStream {
+    pub(super) fn to_encode_tokens(&self) -> Option<TokenStream> {
+        if self.attrs.skipped.is_some() {
+            return None;
+        }
+
         let mut lowerer = LowerFieldEncoder::new(&self.ident);
         let attrs = &self.attrs;
 
@@ -101,7 +112,7 @@ impl SequenceField {
             lowerer.apply_default(&self.ident, default);
         }
 
-        lowerer.into_tokens()
+        Some(lowerer.into_tokens())
     }
 }
 

der/derive/src/value_ord.rs

@@ -171,6 +171,10 @@ impl ValueField {
 
     /// Lower to [`TokenStream`].
     fn to_tokens(&self) -> TokenStream {
+        if self.attrs.skipped.is_some() {
+            return TokenStream::default();
+        }
+
         let ident = &self.ident;
 
         if self.is_enum {

x509-cert/src/certificate.rs

@@ -3,14 +3,49 @@
 use crate::{name::Name, serial_number::SerialNumber, time::Validity};
 use alloc::vec::Vec;
 use const_oid::AssociatedOid;
-use core::cmp::Ordering;
+use core::{cmp::Ordering, fmt::Debug, marker::PhantomData};
 use der::asn1::BitString;
-use der::{Decode, Enumerated, Error, ErrorKind, Sequence, ValueOrd};
+use der::{Decode, Enumerated, Error, ErrorKind, Sequence, Tag, ValueOrd};
 use spki::{AlgorithmIdentifierOwned, SubjectPublicKeyInfoOwned};
 
 #[cfg(feature = "pem")]
 use der::pem::PemLabel;
 
+/// [`Profile`] allows the consumer of this crate to customize the behavior when parsing
+/// certificates.
+/// By default, parsing will be made in a rfc5280-compliant manner.
+pub trait Profile: PartialEq + Debug + Eq + Clone {
+    /// Checks to run when parsing serial numbers
+    fn check_serial_number(serial: &SerialNumber<Self>) -> der::Result<()> {
+        // See the note in `SerialNumber::new`: we permit lengths of 21 bytes here,
+        // since some X.509 implementations interpret the limit of 20 bytes to refer
+        // to the pre-encoded value.
+        if serial.inner.len() > SerialNumber::<Self>::MAX_DECODE_LEN {
+            Err(Tag::Integer.value_error())
+        } else {
+            Ok(())
+        }
+    }
+}
+
+#[derive(Debug, PartialEq, Eq, Clone)]
+/// Parse certificates with rfc5280-compliant checks
+pub struct Rfc5280;
+
+impl Profile for Rfc5280 {}
+
+#[cfg(feature = "hazmat")]
+#[derive(Debug, PartialEq, Eq, Clone)]
+/// Parse raw x509 certificate and disable all the checks
+pub struct Raw;
+
+#[cfg(feature = "hazmat")]
+impl Profile for Raw {
+    fn check_serial_number(_serial: &SerialNumber<Self>) -> der::Result<()> {
+        Ok(())
+    }
+}
+
 /// Certificate `Version` as defined in [RFC 5280 Section 4.1].
 ///
 /// ```text
@@ -73,7 +108,7 @@ impl Default for Version {
 #[cfg_attr(feature = "arbitrary", derive(arbitrary::Arbitrary))]
 #[derive(Clone, Debug, Eq, PartialEq, Sequence, ValueOrd)]
 #[allow(missing_docs)]
-pub struct TbsCertificate {
+pub struct TbsCertificate<P: Profile = Rfc5280> {
     /// The certificate version
     ///
     /// Note that this value defaults to Version 1 per the RFC. However,
@@ -83,7 +118,7 @@ pub struct TbsCertificate {
     #[asn1(context_specific = "0", default = "Default::default")]
     pub version: Version,
 
-    pub serial_number: SerialNumber,
+    pub serial_number: SerialNumber<P>,
     pub signature: AlgorithmIdentifierOwned,
     pub issuer: Name,
     pub validity: Validity,
@@ -98,9 +133,12 @@ pub struct TbsCertificate {
 
     #[asn1(context_specific = "3", tag_mode = "EXPLICIT", optional = "true")]
     pub extensions: Option<crate::ext::Extensions>,
+
+    #[asn1(skipped = "Default::default")]
+    _profile: PhantomData<P>,
 }
 
-impl TbsCertificate {
+impl<P: Profile> TbsCertificate<P> {
     /// Decodes a single extension
     ///
     /// Returns an error if multiple of these extensions is present. Returns
@@ -146,14 +184,14 @@ impl TbsCertificate {
 #[cfg_attr(feature = "arbitrary", derive(arbitrary::Arbitrary))]
 #[derive(Clone, Debug, Eq, PartialEq, Sequence, ValueOrd)]
 #[allow(missing_docs)]
-pub struct Certificate {
-    pub tbs_certificate: TbsCertificate,
+pub struct Certificate<P: Profile = Rfc5280> {
+    pub tbs_certificate: TbsCertificate<P>,
     pub signature_algorithm: AlgorithmIdentifierOwned,
     pub signature: BitString,
 }
 
 #[cfg(feature = "pem")]
-impl PemLabel for Certificate {
+impl<P: Profile> PemLabel for Certificate<P> {
     const PEM_LABEL: &'static str = "CERTIFICATE";
 }
 

x509-cert/src/serial_number.rs

@@ -1,13 +1,15 @@
 //! X.509 serial number
 
-use core::fmt::Display;
+use core::{fmt::Display, marker::PhantomData};
 
 use der::{
     asn1::{self, Int},
     DecodeValue, EncodeValue, ErrorKind, FixedTag, Header, Length, Reader, Result, Tag, ValueOrd,
     Writer,
 };
 
+use crate::certificate::{Profile, Rfc5280};
+
 /// [RFC 5280 Section 4.1.2.2.]  Serial Number
 ///
 ///   The serial number MUST be a positive integer assigned by the CA to
@@ -25,16 +27,18 @@ use der::{
 ///   that are negative or zero.  Certificate users SHOULD be prepared to
 ///   gracefully handle such certificates.
 #[derive(Clone, Debug, Eq, PartialEq, ValueOrd, PartialOrd, Ord)]
-pub struct SerialNumber {
-    inner: Int,
+pub struct SerialNumber<P: Profile = Rfc5280> {
+    pub(crate) inner: Int,
+    #[asn1(skipped = "Default::default")]
+    _profile: PhantomData<P>,
 }
 
-impl SerialNumber {
+impl<P: Profile> SerialNumber<P> {
     /// Maximum length in bytes for a [`SerialNumber`]
     pub const MAX_LEN: Length = Length::new(20);
 
     /// See notes in `SerialNumber::new` and `SerialNumber::decode_value`.
-    const MAX_DECODE_LEN: Length = Length::new(21);
+    pub(crate) const MAX_DECODE_LEN: Length = Length::new(21);
 
     /// Create a new [`SerialNumber`] from a byte slice.
     ///
@@ -47,12 +51,13 @@ impl SerialNumber {
         // RFC 5280 is ambiguous about whether this is valid, so we limit
         // `SerialNumber` *encodings* to 20 bytes or fewer while permitting
         // `SerialNumber` *decodings* to have up to 21 bytes below.
-        if inner.value_len()? > SerialNumber::MAX_LEN {
+        if inner.value_len()? > Self::MAX_LEN {
             return Err(ErrorKind::Overlength.into());
         }
 
         Ok(Self {
             inner: inner.into(),
+            _profile: PhantomData,
         })
     }
 
@@ -63,7 +68,7 @@ impl SerialNumber {
     }
 }
 
-impl EncodeValue for SerialNumber {
+impl<P: Profile> EncodeValue for SerialNumber<P> {
     fn value_len(&self) -> Result<Length> {
         self.inner.value_len()
     }
@@ -73,22 +78,21 @@ impl EncodeValue for SerialNumber {
     }
 }
 
-impl<'a> DecodeValue<'a> for SerialNumber {
+impl<'a, P: Profile> DecodeValue<'a> for SerialNumber<P> {
     fn decode_value<R: Reader<'a>>(reader: &mut R, header: Header) -> Result<Self> {
         let inner = Int::decode_value(reader, header)?;
+        let serial = Self {
+            inner,
+            _profile: PhantomData,
+        };
 
-        // See the note in `SerialNumber::new`: we permit lengths of 21 bytes here,
-        // since some X.509 implementations interpret the limit of 20 bytes to refer
-        // to the pre-encoded value.
-        if inner.len() > SerialNumber::MAX_DECODE_LEN {
-            return Err(Tag::Integer.value_error());
-        }
+        P::check_serial_number(&serial)?;
 
-        Ok(Self { inner })
+        Ok(serial)
     }
 }
 
-impl FixedTag for SerialNumber {
+impl<P: Profile> FixedTag for SerialNumber<P> {
     const TAG: Tag = <Int as FixedTag>::TAG;
 }
 
@@ -131,7 +135,7 @@ impl_from!(usize);
 // Implement by hand because the derive would create invalid values.
 // Use the constructor to create a valid value.
 #[cfg(feature = "arbitrary")]
-impl<'a> arbitrary::Arbitrary<'a> for SerialNumber {
+impl<'a, P: Profile> arbitrary::Arbitrary<'a> for SerialNumber<P> {
     fn arbitrary(u: &mut arbitrary::Unstructured<'a>) -> arbitrary::Result<Self> {
         let len = u.int_in_range(0u32..=Self::MAX_LEN.into())?;
 
@@ -154,7 +158,7 @@ mod tests {
         // Creating a new serial with an oversized encoding (due to high MSB) fails.
         {
             let too_big = [0x80; 20];
-            assert!(SerialNumber::new(&too_big).is_err());
+            assert!(SerialNumber::<Rfc5280>::new(&too_big).is_err());
         }
 
         // Creating a new serial with the maximum encoding succeeds.
@@ -163,7 +167,7 @@ mod tests {
                 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
                 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
             ];
-            assert!(SerialNumber::new(&just_enough).is_ok());
+            assert!(SerialNumber::<Rfc5280>::new(&just_enough).is_ok());
         }
     }