x509-cert: provide parsing profiles

This allow the user to relax checks when parsing certificate and
cover for non rfc5280 compliant x509 certificates.

Author: baloo

der/derive/src/attributes.rs

@@ -79,6 +79,9 @@ pub(crate) struct FieldAttrs {
 
     /// Is the inner type constructed?
     pub constructed: bool,
+
+    /// Is the type skipped?
+    pub skipped: Option<Path>,
 }
 
 impl FieldAttrs {
@@ -98,6 +101,7 @@ impl FieldAttrs {
         let mut optional = None;
         let mut tag_mode = None;
         let mut constructed = None;
+        let mut skipped = None;
 
         let mut parsed_attrs = Vec::new();
         AttrNameValue::from_attributes(attrs, &mut parsed_attrs);
@@ -154,6 +158,15 @@ impl FieldAttrs {
                 }
 
                 constructed = Some(ty);
+            // `skipped` attribute
+            } else if attr.parse_value::<String>("skipped").is_some() {
+                if skipped.is_some() {
+                    abort!(attr.name, "duplicate ASN.1 `skipped` attribute");
+                }
+
+                skipped = Some(attr.value.parse().unwrap_or_else(|e| {
+                    abort!(attr.value, "error parsing ASN.1 `skipped` attribute: {}", e)
+                }));
             } else {
                 abort!(
                     attr.name,
@@ -171,6 +184,7 @@ impl FieldAttrs {
             optional: optional.unwrap_or_default(),
             tag_mode: tag_mode.unwrap_or(type_attrs.tag_mode),
             constructed: constructed.unwrap_or_default(),
+            skipped,
         }
     }
 

der/derive/src/sequence.rs

@@ -8,7 +8,7 @@ use field::SequenceField;
 use proc_macro2::TokenStream;
 use proc_macro_error::abort;
 use quote::quote;
-use syn::{DeriveInput, Ident, Lifetime};
+use syn::{DeriveInput, Ident, Lifetime, TypeParam};
 
 /// Derive the `Sequence` trait for a struct
 pub(crate) struct DeriveSequence {
@@ -18,6 +18,9 @@ pub(crate) struct DeriveSequence {
     /// Lifetime of the struct.
     lifetime: Option<Lifetime>,
 
+    /// Type param of the struct.
+    type_param: Option<TypeParam>,
+
     /// Fields of the struct.
     fields: Vec<SequenceField>,
 }
@@ -40,6 +43,8 @@ impl DeriveSequence {
             .next()
             .map(|lt| lt.lifetime.clone());
 
+        let type_param = input.generics.type_params().next().map(|lt| lt.clone());
+
         let type_attrs = TypeAttrs::parse(&input.attrs);
 
         let fields = data
@@ -51,6 +56,7 @@ impl DeriveSequence {
         Self {
             ident: input.ident,
             lifetime,
+            type_param,
             fields,
         }
     }
@@ -72,6 +78,13 @@ impl DeriveSequence {
             .map(|_| lifetime.clone())
             .unwrap_or_default();
 
+        let type_params = self.type_param.as_ref().map(|t| {
+            let mut t = t.clone();
+            t.default = None;
+            t
+        });
+        let type_params_names = self.type_param.as_ref().map(|t| t.ident.clone());
+
         let mut decode_body = Vec::new();
         let mut decode_result = Vec::new();
         let mut encoded_lengths = Vec::new();
@@ -81,13 +94,14 @@ impl DeriveSequence {
             decode_body.push(field.to_decode_tokens());
             decode_result.push(&field.ident);
 
-            let field = field.to_encode_tokens();
-            encoded_lengths.push(quote!(#field.encoded_len()?));
-            encode_fields.push(quote!(#field.encode(writer)?;));
+            if let Some(field) = field.to_encode_tokens() {
+                encoded_lengths.push(quote!(#field.encoded_len()?));
+                encode_fields.push(quote!(#field.encode(writer)?;));
+            }
         }
 
         quote! {
-            impl<#lifetime> ::der::DecodeValue<#lifetime> for #ident<#lt_params> {
+            impl<#lifetime, #type_params> ::der::DecodeValue<#lifetime> for #ident<#lt_params #type_params_names> {
                 fn decode_value<R: ::der::Reader<#lifetime>>(
                     reader: &mut R,
                     header: ::der::Header,
@@ -104,7 +118,7 @@ impl DeriveSequence {
                 }
             }
 
-            impl<#lifetime> ::der::EncodeValue for #ident<#lt_params> {
+            impl<#lifetime, #type_params> ::der::EncodeValue for #ident<#lt_params #type_params_names> {
                 fn value_len(&self) -> ::der::Result<::der::Length> {
                     use ::der::Encode as _;
 
@@ -122,7 +136,7 @@ impl DeriveSequence {
                 }
             }
 
-            impl<#lifetime> ::der::Sequence<#lifetime> for #ident<#lt_params> {}
+            impl<#lifetime, #type_params> ::der::Sequence<#lifetime> for #ident<#lt_params #type_params_names> {}
         }
     }
 }

der/derive/src/sequence/field.rs

@@ -72,11 +72,22 @@ impl SequenceField {
             }
         }
 
+        if let Some(default) = &self.attrs.skipped {
+            let ident = &self.ident;
+            return quote! {
+                let #ident = #default();
+            };
+        }
+
         lowerer.into_tokens(&self.ident)
     }
 
     /// Derive code for encoding a field of a sequence.
-    pub(super) fn to_encode_tokens(&self) -> TokenStream {
+    pub(super) fn to_encode_tokens(&self) -> Option<TokenStream> {
+        if self.attrs.skipped.is_some() {
+            return None;
+        }
+
         let mut lowerer = LowerFieldEncoder::new(&self.ident);
         let attrs = &self.attrs;
 
@@ -101,7 +112,7 @@ impl SequenceField {
             lowerer.apply_default(&self.ident, default);
         }
 
-        lowerer.into_tokens()
+        Some(lowerer.into_tokens())
     }
 }
 

der/derive/src/value_ord.rs

@@ -171,6 +171,10 @@ impl ValueField {
 
     /// Lower to [`TokenStream`].
     fn to_tokens(&self) -> TokenStream {
+        if self.attrs.skipped.is_some() {
+            return TokenStream::default();
+        }
+
         let ident = &self.ident;
 
         if self.is_enum {

x509-cert/Cargo.toml

@@ -31,6 +31,7 @@ default = ["pem", "std"]
 std = ["const-oid/std", "der/std", "spki/std"]
 
 arbitrary = ["dep:arbitrary", "std", "der/arbitrary", "spki/arbitrary"]
+hazmat = []
 pem = ["der/pem", "spki/pem"]
 
 [package.metadata.docs.rs]

x509-cert/src/certificate.rs

@@ -3,14 +3,49 @@
 use crate::{name::Name, serial_number::SerialNumber, time::Validity};
 use alloc::vec::Vec;
 use const_oid::AssociatedOid;
-use core::cmp::Ordering;
+use core::{cmp::Ordering, fmt::Debug, marker::PhantomData};
 use der::asn1::BitString;
 use der::{Decode, Enumerated, Error, ErrorKind, Sequence, ValueOrd};
 use spki::{AlgorithmIdentifierOwned, SubjectPublicKeyInfoOwned};
 
 #[cfg(feature = "pem")]
 use der::pem::PemLabel;
 
+/// [`ParsingProfile`] allows the consumer of this crate to customize the behavior when parsing
+/// certificates.
+/// By default, parsing will be made in a rfc5280-compliant manner.
+pub trait ParsingProfile: PartialEq + Debug + Eq + Clone {
+    /// Checks to run when parsing serial numbers
+    fn check_serial_number(serial: &SerialNumber<Self>) -> der::Result<()> {
+        // See the note in `SerialNumber::new`: we permit lengths of 21 bytes here,
+        // since some X.509 implementations interpret the limit of 20 bytes to refer
+        // to the pre-encoded value.
+        if serial.inner.len() > SerialNumber::<Self>::MAX_DECODE_LEN {
+            Err(ErrorKind::Overlength.into())
+        } else {
+            Ok(())
+        }
+    }
+}
+
+#[derive(Debug, PartialEq, Eq, Clone)]
+/// Parse certificates with rfc5280-compliant checks
+pub struct Rfc5280;
+
+impl ParsingProfile for Rfc5280 {}
+
+#[cfg(feature = "hazmat")]
+#[derive(Debug, PartialEq, Eq, Clone)]
+/// Parse raw x509 certificate and disable all the checks
+pub struct Raw;
+
+#[cfg(feature = "hazmat")]
+impl ParsingProfile for Raw {
+    fn check_serial_number(_serial: &SerialNumber<Self>) -> der::Result<()> {
+        Ok(())
+    }
+}
+
 /// Certificate `Version` as defined in [RFC 5280 Section 4.1].
 ///
 /// ```text
@@ -73,7 +108,7 @@ impl Default for Version {
 #[cfg_attr(feature = "arbitrary", derive(arbitrary::Arbitrary))]
 #[derive(Clone, Debug, Eq, PartialEq, Sequence, ValueOrd)]
 #[allow(missing_docs)]
-pub struct TbsCertificate {
+pub struct TbsCertificate<PP: ParsingProfile = Rfc5280> {
     /// The certificate version
     ///
     /// Note that this value defaults to Version 1 per the RFC. However,
@@ -83,7 +118,7 @@ pub struct TbsCertificate {
     #[asn1(context_specific = "0", default = "Default::default")]
     pub version: Version,
 
-    pub serial_number: SerialNumber,
+    pub serial_number: SerialNumber<PP>,
     pub signature: AlgorithmIdentifierOwned,
     pub issuer: Name,
     pub validity: Validity,
@@ -98,9 +133,12 @@ pub struct TbsCertificate {
 
     #[asn1(context_specific = "3", tag_mode = "EXPLICIT", optional = "true")]
     pub extensions: Option<crate::ext::Extensions>,
+
+    #[asn1(skipped = "Default::default")]
+    _profile: PhantomData<PP>,
 }
 
-impl TbsCertificate {
+impl<PP: ParsingProfile> TbsCertificate<PP> {
     /// Decodes a single extension
     ///
     /// Returns an error if multiple of these extensions is present. Returns
@@ -146,14 +184,14 @@ impl TbsCertificate {
 #[cfg_attr(feature = "arbitrary", derive(arbitrary::Arbitrary))]
 #[derive(Clone, Debug, Eq, PartialEq, Sequence, ValueOrd)]
 #[allow(missing_docs)]
-pub struct Certificate {
-    pub tbs_certificate: TbsCertificate,
+pub struct Certificate<PP: ParsingProfile = Rfc5280> {
+    pub tbs_certificate: TbsCertificate<PP>,
     pub signature_algorithm: AlgorithmIdentifierOwned,
     pub signature: BitString,
 }
 
 #[cfg(feature = "pem")]
-impl PemLabel for Certificate {
+impl<PP: ParsingProfile> PemLabel for Certificate<PP> {
     const PEM_LABEL: &'static str = "CERTIFICATE";
 }