impl Initial parsing validation logic

Author: jean-airoldie

.gitignore

@@ -2,3 +2,4 @@
 **/*.rs.bk
 certs/
 .idea
+tags

rcgen/Cargo.toml

@@ -28,7 +28,8 @@ ring = { workspace = true, optional = true }
 pem = { workspace = true, optional = true }
 pki-types = { workspace = true }
 time = { version = "0.3.6", default-features = false }
-x509-parser = { workspace = true, features = ["verify"], optional = true }
+#x509-parser = { workspace = true, features = ["verify"], optional = true }
+x509-parser = { features = ["verify"], optional = true, git = "https://github.com/jean-airoldie/x509-parser", branch = "custom-extension" }
 zeroize = { version = "1.2", optional = true }
 
 [features]
@@ -51,7 +52,7 @@ allowed_external_types = [
 [dev-dependencies]
 openssl = "0.10"
 pki-types = { package = "rustls-pki-types", version = "1" }
-x509-parser = { workspace = true, features = ["verify"] }
+x509-parser = { features = ["verify"], git = "https://github.com/jean-airoldie/x509-parser", branch = "custom-extension" }
 rustls-webpki = { version = "0.103", features = ["ring", "std"] }
 botan = { version = "0.11", features = ["vendored"] }
 ring = { workspace = true }

rcgen/src/csr.rs

@@ -11,6 +11,8 @@ use crate::{
 };
 #[cfg(feature = "x509-parser")]
 use crate::{DistinguishedName, SanType};
+#[cfg(feature = "x509-parser")]
+use x509_parser::asn1_rs::Oid;
 
 /// A public key, extracted from a CSR
 #[derive(Debug, PartialEq, Eq, Hash)]
@@ -84,6 +86,23 @@ impl CertificateSigningRequestParams {
 		Self::from_der(&csr.contents().into())
 	}
 
+	/// Parse a certificate signing request from the ASCII PEM format
+	/// using the provided validator function to handle unknown extension
+	/// types.
+	///
+	/// The validator function must return an error if the attribute OID or value
+	/// is incorrect.
+	///
+	/// See [`from_der`](Self::from_der) for more details.
+	#[cfg(all(feature = "pem", feature = "x509-parser"))]
+	pub fn from_pem_validated<F>(pem_str: &str, valid_fn: F) -> Result<Self, Error>
+	where
+		F: FnMut(&Oid, &[u8]) -> Result<(), Error>,
+	{
+		let csr = pem::parse(pem_str).or(Err(Error::CouldNotParseCertificationRequest))?;
+		Self::from_der_validated(&csr.contents().into(), valid_fn)
+	}
+
 	/// Parse a certificate signing request from DER-encoded bytes
 	///
 	/// Currently, this only supports the `Subject Alternative Name` extension.
@@ -96,6 +115,24 @@ impl CertificateSigningRequestParams {
 	/// [`rustls_pemfile::csr()`]: https://docs.rs/rustls-pemfile/latest/rustls_pemfile/fn.csr.html
 	#[cfg(feature = "x509-parser")]
 	pub fn from_der(csr: &CertificateSigningRequestDer<'_>) -> Result<Self, Error> {
+		Self::from_der_validated(csr, |_, _| Ok(()))
+	}
+
+	/// Parse a certificate signing request from DER-encoded bytes using the provided
+	/// validator function to handle unknown extension types.
+	///
+	/// The validator function must return an error if the attribute OID or value
+	/// is incorrect.
+	///
+	/// See [`from_der`](Self::from_der) for more details.
+	#[cfg(feature = "x509-parser")]
+	pub fn from_der_validated<F>(
+		csr: &CertificateSigningRequestDer<'_>,
+		mut valid_fn: F,
+	) -> Result<Self, Error>
+	where
+		F: FnMut(&Oid, &[u8]) -> Result<(), Error>,
+	{
 		use crate::KeyUsagePurpose;
 		use x509_parser::prelude::FromDer;
 
@@ -171,7 +208,13 @@ impl CertificateSigningRequestParams {
 							return Err(Error::UnsupportedExtension);
 						}
 					},
-					_ => return Err(Error::UnsupportedExtension),
+					x509_parser::extensions::ParsedExtension::UnsupportedExtension { oid, value } => {
+						valid_fn(oid, value)?;
+					},
+					other => {
+						dbg!(&other);
+						return Err(Error::UnsupportedExtension);
+					}
 				}
 			}
 		}

rcgen/tests/generic.rs

@@ -132,6 +132,20 @@ mod test_x509_custom_ext {
 			.expect("missing requested custom extension");
 		assert!(custom_ext.critical);
 		assert_eq!(custom_ext.value, test_ext);
+
+		let csr_params = rcgen::CertificateSigningRequestParams::from_der_validated(
+			test_cert_csr.der(),
+			|oid, value| {
+				if oid != &test_oid || value != &test_ext {
+					Err(rcgen::Error::UnsupportedExtension)
+				} else {
+					Ok(())
+				}
+			},
+		)
+		.unwrap();
+
+		assert_eq!(csr_params.params, params);
 	}
 }