| <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width, initial-scale=1.0"><meta name="generator" content="rustdoc"><meta name="description" content="Source of the Rust file `/root/.cargo/registry/src/github.com-1ecc6299db9ec823/webpki-0.21.4/src/trust_anchor_util.rs`."><meta name="keywords" content="rust, rustlang, rust-lang"><title>trust_anchor_util.rs - source</title><link rel="preload" as="font" type="font/woff2" crossorigin href="../../SourceSerif4-Regular.ttf.woff2"><link rel="preload" as="font" type="font/woff2" crossorigin href="../../FiraSans-Regular.woff2"><link rel="preload" as="font" type="font/woff2" crossorigin href="../../FiraSans-Medium.woff2"><link rel="preload" as="font" type="font/woff2" crossorigin href="../../SourceCodePro-Regular.ttf.woff2"><link rel="preload" as="font" type="font/woff2" crossorigin href="../../SourceSerif4-Bold.ttf.woff2"><link rel="preload" as="font" type="font/woff2" crossorigin href="../../SourceCodePro-Semibold.ttf.woff2"><link rel="stylesheet" href="../../normalize.css"><link rel="stylesheet" href="../../rustdoc.css" id="mainThemeStyle"><link rel="stylesheet" href="../../ayu.css" disabled><link rel="stylesheet" href="../../dark.css" disabled><link rel="stylesheet" href="../../light.css" id="themeStyle"><script id="default-settings" ></script><script src="../../storage.js"></script><script defer src="../../source-script.js"></script><script defer src="../../source-files.js"></script><script defer src="../../main.js"></script><noscript><link rel="stylesheet" href="../../noscript.css"></noscript><link rel="alternate icon" type="image/png" href="../../favicon-16x16.png"><link rel="alternate icon" type="image/png" href="../../favicon-32x32.png"><link rel="icon" type="image/svg+xml" href="../../favicon.svg"></head><body class="rustdoc source"><!--[if lte IE 11]><div class="warning">This old browser is unsupported and will most likely display funky things.</div><![endif]--><nav class="sidebar"><a class="sidebar-logo" href="../../webpki/index.html"><div class="logo-container"><img class="rust-logo" src="../../rust-logo.svg" alt="logo"></div></a></nav><main><div class="width-limiter"><nav class="sub"><a class="sub-logo-container" href="../../webpki/index.html"><img class="rust-logo" src="../../rust-logo.svg" alt="logo"></a><form class="search-form"><div class="search-container"><span></span><input class="search-input" name="search" autocomplete="off" spellcheck="false" placeholder="Click or press ‘S’ to search, ‘?’ for more options…" type="search"><div id="help-button" title="help" tabindex="-1"><a href="../../help.html">?</a></div><div id="settings-menu" tabindex="-1"><a href="../../settings.html" title="settings"><img width="22" height="22" alt="Change settings" src="../../wheel.svg"></a></div></div></form></nav><section id="main-content" class="content"><div class="example-wrap"><pre class="src-line-numbers"><span id="1">1</span> |
| <span id="2">2</span> |
| <span id="3">3</span> |
| <span id="4">4</span> |
| <span id="5">5</span> |
| <span id="6">6</span> |
| <span id="7">7</span> |
| <span id="8">8</span> |
| <span id="9">9</span> |
| <span id="10">10</span> |
| <span id="11">11</span> |
| <span id="12">12</span> |
| <span id="13">13</span> |
| <span id="14">14</span> |
| <span id="15">15</span> |
| <span id="16">16</span> |
| <span id="17">17</span> |
| <span id="18">18</span> |
| <span id="19">19</span> |
| <span id="20">20</span> |
| <span id="21">21</span> |
| <span id="22">22</span> |
| <span id="23">23</span> |
| <span id="24">24</span> |
| <span id="25">25</span> |
| <span id="26">26</span> |
| <span id="27">27</span> |
| <span id="28">28</span> |
| <span id="29">29</span> |
| <span id="30">30</span> |
| <span id="31">31</span> |
| <span id="32">32</span> |
| <span id="33">33</span> |
| <span id="34">34</span> |
| <span id="35">35</span> |
| <span id="36">36</span> |
| <span id="37">37</span> |
| <span id="38">38</span> |
| <span id="39">39</span> |
| <span id="40">40</span> |
| <span id="41">41</span> |
| <span id="42">42</span> |
| <span id="43">43</span> |
| <span id="44">44</span> |
| <span id="45">45</span> |
| <span id="46">46</span> |
| <span id="47">47</span> |
| <span id="48">48</span> |
| <span id="49">49</span> |
| <span id="50">50</span> |
| <span id="51">51</span> |
| <span id="52">52</span> |
| <span id="53">53</span> |
| <span id="54">54</span> |
| <span id="55">55</span> |
| <span id="56">56</span> |
| <span id="57">57</span> |
| <span id="58">58</span> |
| <span id="59">59</span> |
| <span id="60">60</span> |
| <span id="61">61</span> |
| <span id="62">62</span> |
| <span id="63">63</span> |
| <span id="64">64</span> |
| <span id="65">65</span> |
| <span id="66">66</span> |
| <span id="67">67</span> |
| <span id="68">68</span> |
| <span id="69">69</span> |
| <span id="70">70</span> |
| <span id="71">71</span> |
| <span id="72">72</span> |
| <span id="73">73</span> |
| <span id="74">74</span> |
| <span id="75">75</span> |
| <span id="76">76</span> |
| <span id="77">77</span> |
| <span id="78">78</span> |
| <span id="79">79</span> |
| <span id="80">80</span> |
| <span id="81">81</span> |
| <span id="82">82</span> |
| <span id="83">83</span> |
| <span id="84">84</span> |
| <span id="85">85</span> |
| <span id="86">86</span> |
| <span id="87">87</span> |
| <span id="88">88</span> |
| <span id="89">89</span> |
| <span id="90">90</span> |
| <span id="91">91</span> |
| <span id="92">92</span> |
| <span id="93">93</span> |
| <span id="94">94</span> |
| <span id="95">95</span> |
| <span id="96">96</span> |
| <span id="97">97</span> |
| <span id="98">98</span> |
| <span id="99">99</span> |
| <span id="100">100</span> |
| <span id="101">101</span> |
| <span id="102">102</span> |
| <span id="103">103</span> |
| <span id="104">104</span> |
| <span id="105">105</span> |
| <span id="106">106</span> |
| <span id="107">107</span> |
| <span id="108">108</span> |
| <span id="109">109</span> |
| <span id="110">110</span> |
| <span id="111">111</span> |
| <span id="112">112</span> |
| <span id="113">113</span> |
| <span id="114">114</span> |
| <span id="115">115</span> |
| <span id="116">116</span> |
| <span id="117">117</span> |
| <span id="118">118</span> |
| <span id="119">119</span> |
| <span id="120">120</span> |
| </pre><pre class="rust"><code><span class="comment">// Copyright 2015 Brian Smith. |
| // |
| // Permission to use, copy, modify, and/or distribute this software for any |
| // purpose with or without fee is hereby granted, provided that the above |
| // copyright notice and this permission notice appear in all copies. |
| // |
| // THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES |
| // WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF |
| // MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR |
| // ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES |
| // WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN |
| // ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF |
| // OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
| |
| </span><span class="doccomment">//! Utilities for efficiently embedding trust anchors in programs. |
| |
| </span><span class="kw">use </span><span class="kw">super</span>::der; |
| <span class="kw">use crate</span>::{ |
| cert::{certificate_serial_number, parse_cert_internal, Cert, EndEntityOrCA}, |
| Error, TrustAnchor, |
| }; |
| |
| <span class="doccomment">/// Interprets the given DER-encoded certificate as a `TrustAnchor`. The |
| /// certificate is not validated. In particular, there is no check that the |
| /// certificate is self-signed or even that the certificate has the cA basic |
| /// constraint. |
| </span><span class="kw">pub fn </span>cert_der_as_trust_anchor(cert_der: <span class="kw-2">&</span>[u8]) -> <span class="prelude-ty">Result</span><TrustAnchor, Error> { |
| <span class="kw">let </span>cert_der = untrusted::Input::from(cert_der); |
| |
| <span class="comment">// XXX: `EndEntityOrCA::EndEntity` is used instead of `EndEntityOrCA::CA` |
| // because we don't have a reference to a child cert, which is needed for |
| // `EndEntityOrCA::CA`. For this purpose, it doesn't matter. |
| // |
| // v1 certificates will result in `Error::BadDER` because `parse_cert` will |
| // expect a version field that isn't there. In that case, try to parse the |
| // certificate using a special parser for v1 certificates. Notably, that |
| // parser doesn't allow extensions, so there's no need to worry about |
| // embedded name constraints in a v1 certificate. |
| </span><span class="kw">match </span>parse_cert_internal( |
| cert_der, |
| EndEntityOrCA::EndEntity, |
| possibly_invalid_certificate_serial_number, |
| ) { |
| <span class="prelude-val">Ok</span>(cert) => <span class="prelude-val">Ok</span>(trust_anchor_from_cert(cert)), |
| <span class="prelude-val">Err</span>(Error::BadDER) => parse_cert_v1(cert_der).or(<span class="prelude-val">Err</span>(Error::BadDER)), |
| <span class="prelude-val">Err</span>(err) => <span class="prelude-val">Err</span>(err), |
| } |
| } |
| |
| <span class="kw">fn </span>possibly_invalid_certificate_serial_number<<span class="lifetime">'a</span>>( |
| input: <span class="kw-2">&mut </span>untrusted::Reader<<span class="lifetime">'a</span>>, |
| ) -> <span class="prelude-ty">Result</span><(), Error> { |
| <span class="comment">// https://tools.ietf.org/html/rfc5280#section-4.1.2.2: |
| // * Conforming CAs MUST NOT use serialNumber values longer than 20 octets." |
| // * "The serial number MUST be a positive integer [...]" |
| // |
| // However, we don't enforce these constraints on trust anchors, as there |
| // are widely-deployed trust anchors that violate these constraints. |
| </span>skip(input, der::Tag::Integer) |
| } |
| |
| <span class="doccomment">/// Generates code for hard-coding the given trust anchors into a program. This |
| /// is designed to be used in a build script. `name` is the name of the public |
| /// static variable that will contain the TrustAnchor array. |
| </span><span class="kw">pub fn </span>generate_code_for_trust_anchors(name: <span class="kw-2">&</span>str, trust_anchors: <span class="kw-2">&</span>[TrustAnchor]) -> String { |
| <span class="kw">let </span>decl = <span class="macro">format!</span>( |
| <span class="string">"static {}: [TrustAnchor<'static>; {}] = "</span>, |
| name, |
| trust_anchors.len() |
| ); |
| |
| <span class="comment">// "{:?}" formats the array of trust anchors as Rust code, approximately, |
| // except that it drops the leading "&" on slices. |
| </span><span class="kw">let </span>value = str::replace(<span class="kw-2">&</span><span class="macro">format!</span>(<span class="string">"{:?};\n"</span>, trust_anchors), <span class="string">": ["</span>, <span class="string">": &["</span>); |
| |
| decl + <span class="kw-2">&</span>value |
| } |
| |
| <span class="kw">fn </span>trust_anchor_from_cert<<span class="lifetime">'a</span>>(cert: Cert<<span class="lifetime">'a</span>>) -> TrustAnchor<<span class="lifetime">'a</span>> { |
| TrustAnchor { |
| subject: cert.subject.as_slice_less_safe(), |
| spki: cert.spki.value().as_slice_less_safe(), |
| name_constraints: cert.name_constraints.map(|nc| nc.as_slice_less_safe()), |
| } |
| } |
| |
| <span class="doccomment">/// Parses a v1 certificate directly into a TrustAnchor. |
| </span><span class="kw">fn </span>parse_cert_v1<<span class="lifetime">'a</span>>(cert_der: untrusted::Input<<span class="lifetime">'a</span>>) -> <span class="prelude-ty">Result</span><TrustAnchor<<span class="lifetime">'a</span>>, Error> { |
| <span class="comment">// X.509 Certificate: https://tools.ietf.org/html/rfc5280#section-4.1. |
| </span>cert_der.read_all(Error::BadDER, |cert_der| { |
| der::nested(cert_der, der::Tag::Sequence, Error::BadDER, |cert_der| { |
| <span class="kw">let </span>anchor = der::nested(cert_der, der::Tag::Sequence, Error::BadDER, |tbs| { |
| <span class="comment">// The version number field does not appear in v1 certificates. |
| </span>certificate_serial_number(tbs)<span class="question-mark">?</span>; |
| |
| skip(tbs, der::Tag::Sequence)<span class="question-mark">?</span>; <span class="comment">// signature. |
| </span>skip(tbs, der::Tag::Sequence)<span class="question-mark">?</span>; <span class="comment">// issuer. |
| </span>skip(tbs, der::Tag::Sequence)<span class="question-mark">?</span>; <span class="comment">// validity. |
| </span><span class="kw">let </span>subject = der::expect_tag_and_get_value(tbs, der::Tag::Sequence)<span class="question-mark">?</span>; |
| <span class="kw">let </span>spki = der::expect_tag_and_get_value(tbs, der::Tag::Sequence)<span class="question-mark">?</span>; |
| |
| <span class="prelude-val">Ok</span>(TrustAnchor { |
| subject: subject.as_slice_less_safe(), |
| spki: spki.as_slice_less_safe(), |
| name_constraints: <span class="prelude-val">None</span>, |
| }) |
| }); |
| |
| <span class="comment">// read and discard signatureAlgorithm + signature |
| </span>skip(cert_der, der::Tag::Sequence)<span class="question-mark">?</span>; |
| skip(cert_der, der::Tag::BitString)<span class="question-mark">?</span>; |
| |
| anchor |
| }) |
| }) |
| } |
| |
| <span class="kw">fn </span>skip(input: <span class="kw-2">&mut </span>untrusted::Reader, tag: der::Tag) -> <span class="prelude-ty">Result</span><(), Error> { |
| der::expect_tag_and_get_value(input, tag).map(|<span class="kw">_</span>| ()) |
| } |
| </code></pre></div> |
| </section></div></main><div id="rustdoc-vars" data-root-path="../../" data-current-crate="webpki" data-themes="ayu,dark,light" data-resource-suffix="" data-rustdoc-version="1.66.0-nightly (5c8bff74b 2022-10-21)" ></div></body></html> |