get extensions built

Author: baloo

x509-cert/src/builder.rs

@@ -7,10 +7,12 @@ use crate::{
         asn1::{BitString, BitStringRef, UIntRef},
         Decode, Encode, SliceReader,
     },
+    ext::{pkix::BasicConstraints, Extension},
     name::Name,
     spki::{AlgorithmIdentifier, SubjectPublicKeyInfo},
     time::Validity,
 };
+use const_oid::AssociatedOid;
 
 pub type Result<T> = core::result::Result<T, der::Error>;
 
@@ -34,10 +36,45 @@ impl UniqueIds {
     }
 }
 
+#[derive(Clone, Copy, Debug, PartialEq)]
+pub enum Profile {
+    Root,
+    SubCA,
+    Leaf,
+}
+
+impl Profile {
+    fn build_extensions(&self) -> Result<Vec<Vec<u8>>> {
+        let mut extensions = Vec::new();
+
+        match self {
+            Profile::Root => {
+                let ca_true = BasicConstraints {
+                    ca: true,
+                    path_len_constraint: None,
+                }
+                .to_vec()?;
+
+                extensions.push(
+                    Extension {
+                        extn_id: BasicConstraints::OID,
+                        critical: true,
+                        extn_value: &ca_true,
+                    }
+                    .to_vec()?,
+                );
+            }
+            _ => {}
+        };
+
+        Ok(extensions)
+    }
+}
+
 pub enum CertificateVersion {
     V1,
     V2(UniqueIds),
-    V3(UniqueIds),
+    V3 { uids: UniqueIds, profile: Profile },
 }
 
 impl Into<Version> for CertificateVersion {
@@ -46,7 +83,7 @@ impl Into<Version> for CertificateVersion {
         match self {
             V1 => Version::V1,
             V2(_) => Version::V2,
-            V3(_) => Version::V3,
+            V3 { .. } => Version::V3,
         }
     }
 }
@@ -87,14 +124,16 @@ impl<SA: CertSignatureAlgorithm> CertificateBuilder<SA> {
         let serial_number = serial_number.to_vec()?;
         let subject_public_key_info = subject_public_key_info.to_vec()?;
 
-        let (version, (issuer_unique_id, subject_unique_id)) = match version {
-            CertificateVersion::V1 => (Version::V1, (None, None)),
-            CertificateVersion::V2(uids) => (Version::V2, uids.to_vec()?),
-            CertificateVersion::V3(uids) => (Version::V3, uids.to_vec()?),
+        let (version, (issuer_unique_id, subject_unique_id), extensions) = match version {
+            CertificateVersion::V1 => (Version::V1, (None, None), Vec::new()),
+            CertificateVersion::V2(uids) => (Version::V2, uids.to_vec()?, Vec::new()),
+            CertificateVersion::V3 { uids, profile } => {
+                (Version::V3, uids.to_vec()?, profile.build_extensions()?)
+            }
         };
+        println!("extensions: {:?}", extensions);
 
         let signature = Default::default();
-        let extensions = Default::default();
 
         Ok(Self {
             version,
@@ -135,6 +174,21 @@ impl<SA: CertSignatureAlgorithm> CertificateBuilder<SA> {
         let issuer_unique_id = unique_id_mapper(&self.issuer_unique_id)?;
         let subject_unique_id = unique_id_mapper(&self.subject_unique_id)?;
 
+        let extensions = if self.version == Version::V3 {
+            println!("LASKJD1");
+            let mut extensions = Vec::new();
+            for extension in &self.extensions {
+                extensions.push(Extension::decode(&mut SliceReader::new(&extension)?)?);
+                //extensions.push(Extension::from_der(&extension)?);
+            }
+            println!("LASKJD2");
+
+            Some(extensions)
+        } else {
+            None
+        };
+        println!("LASKJD3");
+
         let tbs_certificate = TbsCertificate {
             version: self.version,
             serial_number,
@@ -145,7 +199,7 @@ impl<SA: CertSignatureAlgorithm> CertificateBuilder<SA> {
             subject_public_key_info,
             issuer_unique_id,
             subject_unique_id,
-            extensions: None,
+            extensions,
         };
 
         self.signature = signer.sign(&tbs_certificate);

x509-cert/tests/builder.rs

@@ -1,6 +1,6 @@
 #![cfg(all(feature = "builder", feature = "pem"))]
 
-use der::{asn1::UIntRef, pem::LineEnding, EncodePem};
+use der::{asn1::UIntRef, pem::LineEnding, Decode, EncodePem};
 use spki::SubjectPublicKeyInfo;
 use std::{
     fs::File,
@@ -10,7 +10,7 @@ use std::{
 };
 use tempfile::tempdir;
 use x509_cert::{
-    builder::{CertificateBuilder, CertificateVersion, Signer, UniqueIds},
+    builder::{CertificateBuilder, CertificateVersion, Profile, Signer, UniqueIds},
     certificate::{Certificate, TbsCertificate},
     constants,
     name::Name,
@@ -72,6 +72,8 @@ fn check_certificate(cert: &Certificate) {
         .read_to_end(&mut output_buf)
         .expect("read zlint output");
 
+    //println!("{}", String::from_utf8(output_buf.clone()).unwrap());
+
     let output: zlint::LintResult =
         serde_json::from_slice(&output_buf).expect("parse zlint output");
 
@@ -91,12 +93,16 @@ fn basic_certificate() {
     let serial_number = 42u32.to_be_bytes();
     let serial_number = UIntRef::new(&serial_number[..]).expect("create serial");
     let validity = Validity::from_now(Duration::new(5, 0)).unwrap();
-    let issuer = Name::default();
-    let subject = Name::default();
+    let issuer = Name::encode_from_string("CN=ca.example.com").unwrap();
+    let issuer = Name::from_der(&issuer).unwrap();
+    let subject = Name::encode_from_string("CN=demo.example.com").unwrap();
+    let subject = Name::from_der(&subject).unwrap();
     let pub_key = SubjectPublicKeyInfo::try_from(RSA_2048_DER_EXAMPLE).expect("get rsa pub key");
 
+    let profile = Profile::Root;
+
     let mut builder = CertificateBuilder::new(
-        CertificateVersion::V3(uids),
+        CertificateVersion::V3 { uids, profile },
         serial_number,
         constants::RsaWithSha256,
         validity,
@@ -116,7 +122,11 @@ fn basic_certificate() {
         }
     }
 
-    check_certificate(&builder.build(MockSigner).unwrap());
+    let certificate = builder.build(MockSigner).unwrap();
+
+    println!("{}", openssl::text_output(&certificate));
+
+    check_certificate(&certificate);
 }
 
 #[test]
@@ -140,11 +150,14 @@ mod zlint {
 
     #[derive(Debug, Copy, Clone, PartialEq)]
     pub enum Status {
-        NA,
+        NotApplicable,
+        NotEffective,
         Pass,
+        Notice,
         Info,
         Warn,
         Error,
+        Fatal,
     }
 
     impl Status {
@@ -176,8 +189,11 @@ mod zlint {
                     while let Some((key, value)) = access.next_entry::<&str, &str>()? {
                         if key == "result" {
                             value_output = Some(match value {
-                                "NA" => Status::NA,
+                                "NA" => Status::NotApplicable,
+                                "NE" => Status::NotEffective,
                                 "pass" => Status::Pass,
+                                "notice" => Status::Notice,
+                                "fatal" => Status::Fatal,
                                 "error" => Status::Error,
                                 "warn" => Status::Warn,
                                 "info" => Status::Info,
@@ -208,10 +224,11 @@ mod zlint {
 
     impl LintResult {
         pub fn check_lints(&self, ignored: &[&str]) -> bool {
-            let mut failed = Vec::new();
+            let mut failed = HashMap::<String, Status>::new();
+
             for (key, value) in &self.0 {
                 if !value.is_successful() && !ignored.contains(&key.as_str()) {
-                    failed.push(String::from(key));
+                    failed.insert(String::from(key), value.clone());
                 }
             }
 
@@ -221,3 +238,46 @@ mod zlint {
         }
     }
 }
+
+mod openssl {
+    use der::{pem::LineEnding, EncodePem};
+    use std::{
+        fs::File,
+        io::{Read, Write},
+        process::{Command, Stdio},
+    };
+    use tempfile::tempdir;
+    use x509_cert::certificate::Certificate;
+
+    pub fn text_output(cert: &Certificate) -> String {
+        let tmp_dir = tempdir().expect("create tempdir");
+        let cert_path = tmp_dir.path().join("cert.pem");
+
+        let pem = cert.to_pem(LineEnding::LF).expect("generate pem");
+        let mut cert_file = File::create(&cert_path).expect("create pem file");
+        cert_file
+            .write_all(pem.as_bytes())
+            .expect("Create pem file");
+
+        let mut child = Command::new("openssl")
+            .arg("x509")
+            .arg("-in")
+            .arg(&cert_path)
+            .arg("-noout")
+            .arg("-text")
+            .stderr(Stdio::inherit())
+            .stdout(Stdio::piped())
+            .spawn()
+            .expect("zlint failed");
+        let mut stdout = child.stdout.take().unwrap();
+        let exit_status = child.wait().expect("get openssl x509 status");
+
+        assert!(exit_status.success(), "openssl failed");
+        let mut output_buf = Vec::new();
+        stdout
+            .read_to_end(&mut output_buf)
+            .expect("read openssl output");
+
+        String::from_utf8(output_buf.clone()).unwrap()
+    }
+}