| <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width, initial-scale=1.0"><meta name="generator" content="rustdoc"><meta name="description" content="Source of the Rust file `/root/.cargo/registry/src/github.com-1ecc6299db9ec823/webpki-0.21.4/src/verify_cert.rs`."><meta name="keywords" content="rust, rustlang, rust-lang"><title>verify_cert.rs - source</title><link rel="preload" as="font" type="font/woff2" crossorigin href="../../SourceSerif4-Regular.ttf.woff2"><link rel="preload" as="font" type="font/woff2" crossorigin href="../../FiraSans-Regular.woff2"><link rel="preload" as="font" type="font/woff2" crossorigin href="../../FiraSans-Medium.woff2"><link rel="preload" as="font" type="font/woff2" crossorigin href="../../SourceCodePro-Regular.ttf.woff2"><link rel="preload" as="font" type="font/woff2" crossorigin href="../../SourceSerif4-Bold.ttf.woff2"><link rel="preload" as="font" type="font/woff2" crossorigin href="../../SourceCodePro-Semibold.ttf.woff2"><link rel="stylesheet" href="../../normalize.css"><link rel="stylesheet" href="../../rustdoc.css" id="mainThemeStyle"><link rel="stylesheet" href="../../ayu.css" disabled><link rel="stylesheet" href="../../dark.css" disabled><link rel="stylesheet" href="../../light.css" id="themeStyle"><script id="default-settings" ></script><script src="../../storage.js"></script><script defer src="../../source-script.js"></script><script defer src="../../source-files.js"></script><script defer src="../../main.js"></script><noscript><link rel="stylesheet" href="../../noscript.css"></noscript><link rel="alternate icon" type="image/png" href="../../favicon-16x16.png"><link rel="alternate icon" type="image/png" href="../../favicon-32x32.png"><link rel="icon" type="image/svg+xml" href="../../favicon.svg"></head><body class="rustdoc source"><!--[if lte IE 11]><div class="warning">This old browser is unsupported and will most likely display funky things.</div><![endif]--><nav class="sidebar"><a class="sidebar-logo" href="../../webpki/index.html"><div class="logo-container"><img class="rust-logo" src="../../rust-logo.svg" alt="logo"></div></a></nav><main><div class="width-limiter"><nav class="sub"><a class="sub-logo-container" href="../../webpki/index.html"><img class="rust-logo" src="../../rust-logo.svg" alt="logo"></a><form class="search-form"><div class="search-container"><span></span><input class="search-input" name="search" autocomplete="off" spellcheck="false" placeholder="Click or press ‘S’ to search, ‘?’ for more options…" type="search"><div id="help-button" title="help" tabindex="-1"><a href="../../help.html">?</a></div><div id="settings-menu" tabindex="-1"><a href="../../settings.html" title="settings"><img width="22" height="22" alt="Change settings" src="../../wheel.svg"></a></div></div></form></nav><section id="main-content" class="content"><div class="example-wrap"><pre class="src-line-numbers"><span id="1">1</span> |
| <span id="2">2</span> |
| <span id="3">3</span> |
| <span id="4">4</span> |
| <span id="5">5</span> |
| <span id="6">6</span> |
| <span id="7">7</span> |
| <span id="8">8</span> |
| <span id="9">9</span> |
| <span id="10">10</span> |
| <span id="11">11</span> |
| <span id="12">12</span> |
| <span id="13">13</span> |
| <span id="14">14</span> |
| <span id="15">15</span> |
| <span id="16">16</span> |
| <span id="17">17</span> |
| <span id="18">18</span> |
| <span id="19">19</span> |
| <span id="20">20</span> |
| <span id="21">21</span> |
| <span id="22">22</span> |
| <span id="23">23</span> |
| <span id="24">24</span> |
| <span id="25">25</span> |
| <span id="26">26</span> |
| <span id="27">27</span> |
| <span id="28">28</span> |
| <span id="29">29</span> |
| <span id="30">30</span> |
| <span id="31">31</span> |
| <span id="32">32</span> |
| <span id="33">33</span> |
| <span id="34">34</span> |
| <span id="35">35</span> |
| <span id="36">36</span> |
| <span id="37">37</span> |
| <span id="38">38</span> |
| <span id="39">39</span> |
| <span id="40">40</span> |
| <span id="41">41</span> |
| <span id="42">42</span> |
| <span id="43">43</span> |
| <span id="44">44</span> |
| <span id="45">45</span> |
| <span id="46">46</span> |
| <span id="47">47</span> |
| <span id="48">48</span> |
| <span id="49">49</span> |
| <span id="50">50</span> |
| <span id="51">51</span> |
| <span id="52">52</span> |
| <span id="53">53</span> |
| <span id="54">54</span> |
| <span id="55">55</span> |
| <span id="56">56</span> |
| <span id="57">57</span> |
| <span id="58">58</span> |
| <span id="59">59</span> |
| <span id="60">60</span> |
| <span id="61">61</span> |
| <span id="62">62</span> |
| <span id="63">63</span> |
| <span id="64">64</span> |
| <span id="65">65</span> |
| <span id="66">66</span> |
| <span id="67">67</span> |
| <span id="68">68</span> |
| <span id="69">69</span> |
| <span id="70">70</span> |
| <span id="71">71</span> |
| <span id="72">72</span> |
| <span id="73">73</span> |
| <span id="74">74</span> |
| <span id="75">75</span> |
| <span id="76">76</span> |
| <span id="77">77</span> |
| <span id="78">78</span> |
| <span id="79">79</span> |
| <span id="80">80</span> |
| <span id="81">81</span> |
| <span id="82">82</span> |
| <span id="83">83</span> |
| <span id="84">84</span> |
| <span id="85">85</span> |
| <span id="86">86</span> |
| <span id="87">87</span> |
| <span id="88">88</span> |
| <span id="89">89</span> |
| <span id="90">90</span> |
| <span id="91">91</span> |
| <span id="92">92</span> |
| <span id="93">93</span> |
| <span id="94">94</span> |
| <span id="95">95</span> |
| <span id="96">96</span> |
| <span id="97">97</span> |
| <span id="98">98</span> |
| <span id="99">99</span> |
| <span id="100">100</span> |
| <span id="101">101</span> |
| <span id="102">102</span> |
| <span id="103">103</span> |
| <span id="104">104</span> |
| <span id="105">105</span> |
| <span id="106">106</span> |
| <span id="107">107</span> |
| <span id="108">108</span> |
| <span id="109">109</span> |
| <span id="110">110</span> |
| <span id="111">111</span> |
| <span id="112">112</span> |
| <span id="113">113</span> |
| <span id="114">114</span> |
| <span id="115">115</span> |
| <span id="116">116</span> |
| <span id="117">117</span> |
| <span id="118">118</span> |
| <span id="119">119</span> |
| <span id="120">120</span> |
| <span id="121">121</span> |
| <span id="122">122</span> |
| <span id="123">123</span> |
| <span id="124">124</span> |
| <span id="125">125</span> |
| <span id="126">126</span> |
| <span id="127">127</span> |
| <span id="128">128</span> |
| <span id="129">129</span> |
| <span id="130">130</span> |
| <span id="131">131</span> |
| <span id="132">132</span> |
| <span id="133">133</span> |
| <span id="134">134</span> |
| <span id="135">135</span> |
| <span id="136">136</span> |
| <span id="137">137</span> |
| <span id="138">138</span> |
| <span id="139">139</span> |
| <span id="140">140</span> |
| <span id="141">141</span> |
| <span id="142">142</span> |
| <span id="143">143</span> |
| <span id="144">144</span> |
| <span id="145">145</span> |
| <span id="146">146</span> |
| <span id="147">147</span> |
| <span id="148">148</span> |
| <span id="149">149</span> |
| <span id="150">150</span> |
| <span id="151">151</span> |
| <span id="152">152</span> |
| <span id="153">153</span> |
| <span id="154">154</span> |
| <span id="155">155</span> |
| <span id="156">156</span> |
| <span id="157">157</span> |
| <span id="158">158</span> |
| <span id="159">159</span> |
| <span id="160">160</span> |
| <span id="161">161</span> |
| <span id="162">162</span> |
| <span id="163">163</span> |
| <span id="164">164</span> |
| <span id="165">165</span> |
| <span id="166">166</span> |
| <span id="167">167</span> |
| <span id="168">168</span> |
| <span id="169">169</span> |
| <span id="170">170</span> |
| <span id="171">171</span> |
| <span id="172">172</span> |
| <span id="173">173</span> |
| <span id="174">174</span> |
| <span id="175">175</span> |
| <span id="176">176</span> |
| <span id="177">177</span> |
| <span id="178">178</span> |
| <span id="179">179</span> |
| <span id="180">180</span> |
| <span id="181">181</span> |
| <span id="182">182</span> |
| <span id="183">183</span> |
| <span id="184">184</span> |
| <span id="185">185</span> |
| <span id="186">186</span> |
| <span id="187">187</span> |
| <span id="188">188</span> |
| <span id="189">189</span> |
| <span id="190">190</span> |
| <span id="191">191</span> |
| <span id="192">192</span> |
| <span id="193">193</span> |
| <span id="194">194</span> |
| <span id="195">195</span> |
| <span id="196">196</span> |
| <span id="197">197</span> |
| <span id="198">198</span> |
| <span id="199">199</span> |
| <span id="200">200</span> |
| <span id="201">201</span> |
| <span id="202">202</span> |
| <span id="203">203</span> |
| <span id="204">204</span> |
| <span id="205">205</span> |
| <span id="206">206</span> |
| <span id="207">207</span> |
| <span id="208">208</span> |
| <span id="209">209</span> |
| <span id="210">210</span> |
| <span id="211">211</span> |
| <span id="212">212</span> |
| <span id="213">213</span> |
| <span id="214">214</span> |
| <span id="215">215</span> |
| <span id="216">216</span> |
| <span id="217">217</span> |
| <span id="218">218</span> |
| <span id="219">219</span> |
| <span id="220">220</span> |
| <span id="221">221</span> |
| <span id="222">222</span> |
| <span id="223">223</span> |
| <span id="224">224</span> |
| <span id="225">225</span> |
| <span id="226">226</span> |
| <span id="227">227</span> |
| <span id="228">228</span> |
| <span id="229">229</span> |
| <span id="230">230</span> |
| <span id="231">231</span> |
| <span id="232">232</span> |
| <span id="233">233</span> |
| <span id="234">234</span> |
| <span id="235">235</span> |
| <span id="236">236</span> |
| <span id="237">237</span> |
| <span id="238">238</span> |
| <span id="239">239</span> |
| <span id="240">240</span> |
| <span id="241">241</span> |
| <span id="242">242</span> |
| <span id="243">243</span> |
| <span id="244">244</span> |
| <span id="245">245</span> |
| <span id="246">246</span> |
| <span id="247">247</span> |
| <span id="248">248</span> |
| <span id="249">249</span> |
| <span id="250">250</span> |
| <span id="251">251</span> |
| <span id="252">252</span> |
| <span id="253">253</span> |
| <span id="254">254</span> |
| <span id="255">255</span> |
| <span id="256">256</span> |
| <span id="257">257</span> |
| <span id="258">258</span> |
| <span id="259">259</span> |
| <span id="260">260</span> |
| <span id="261">261</span> |
| <span id="262">262</span> |
| <span id="263">263</span> |
| <span id="264">264</span> |
| <span id="265">265</span> |
| <span id="266">266</span> |
| <span id="267">267</span> |
| <span id="268">268</span> |
| <span id="269">269</span> |
| <span id="270">270</span> |
| <span id="271">271</span> |
| <span id="272">272</span> |
| <span id="273">273</span> |
| <span id="274">274</span> |
| <span id="275">275</span> |
| <span id="276">276</span> |
| <span id="277">277</span> |
| <span id="278">278</span> |
| <span id="279">279</span> |
| <span id="280">280</span> |
| <span id="281">281</span> |
| <span id="282">282</span> |
| <span id="283">283</span> |
| <span id="284">284</span> |
| <span id="285">285</span> |
| <span id="286">286</span> |
| <span id="287">287</span> |
| <span id="288">288</span> |
| <span id="289">289</span> |
| <span id="290">290</span> |
| <span id="291">291</span> |
| <span id="292">292</span> |
| <span id="293">293</span> |
| <span id="294">294</span> |
| <span id="295">295</span> |
| <span id="296">296</span> |
| <span id="297">297</span> |
| <span id="298">298</span> |
| <span id="299">299</span> |
| <span id="300">300</span> |
| <span id="301">301</span> |
| <span id="302">302</span> |
| <span id="303">303</span> |
| <span id="304">304</span> |
| <span id="305">305</span> |
| <span id="306">306</span> |
| <span id="307">307</span> |
| <span id="308">308</span> |
| <span id="309">309</span> |
| <span id="310">310</span> |
| <span id="311">311</span> |
| <span id="312">312</span> |
| <span id="313">313</span> |
| <span id="314">314</span> |
| <span id="315">315</span> |
| <span id="316">316</span> |
| <span id="317">317</span> |
| <span id="318">318</span> |
| <span id="319">319</span> |
| <span id="320">320</span> |
| <span id="321">321</span> |
| <span id="322">322</span> |
| <span id="323">323</span> |
| <span id="324">324</span> |
| <span id="325">325</span> |
| <span id="326">326</span> |
| <span id="327">327</span> |
| <span id="328">328</span> |
| <span id="329">329</span> |
| <span id="330">330</span> |
| <span id="331">331</span> |
| <span id="332">332</span> |
| <span id="333">333</span> |
| <span id="334">334</span> |
| <span id="335">335</span> |
| </pre><pre class="rust"><code><span class="comment">// Copyright 2015 Brian Smith. |
| // |
| // Permission to use, copy, modify, and/or distribute this software for any |
| // purpose with or without fee is hereby granted, provided that the above |
| // copyright notice and this permission notice appear in all copies. |
| // |
| // THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES |
| // WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF |
| // MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR |
| // ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES |
| // WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN |
| // ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF |
| // OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
| |
| </span><span class="kw">use crate</span>::{ |
| cert::{<span class="self">self</span>, Cert, EndEntityOrCA}, |
| der, name, signed_data, time, Error, SignatureAlgorithm, TrustAnchor, |
| }; |
| |
| <span class="kw">pub fn </span>build_chain( |
| required_eku_if_present: KeyPurposeId, supported_sig_algs: <span class="kw-2">&</span>[<span class="kw-2">&</span>SignatureAlgorithm], |
| trust_anchors: <span class="kw-2">&</span>[TrustAnchor], intermediate_certs: <span class="kw-2">&</span>[<span class="kw-2">&</span>[u8]], cert: <span class="kw-2">&</span>Cert, time: time::Time, |
| sub_ca_count: usize, |
| ) -> <span class="prelude-ty">Result</span><(), Error> { |
| <span class="kw">let </span>used_as_ca = used_as_ca(<span class="kw-2">&</span>cert.ee_or_ca); |
| |
| check_issuer_independent_properties( |
| cert, |
| time, |
| used_as_ca, |
| sub_ca_count, |
| required_eku_if_present, |
| )<span class="question-mark">?</span>; |
| |
| <span class="comment">// TODO: HPKP checks. |
| |
| </span><span class="kw">match </span>used_as_ca { |
| UsedAsCA::Yes => { |
| <span class="kw">const </span>MAX_SUB_CA_COUNT: usize = <span class="number">6</span>; |
| |
| <span class="kw">if </span>sub_ca_count >= MAX_SUB_CA_COUNT { |
| <span class="kw">return </span><span class="prelude-val">Err</span>(Error::UnknownIssuer); |
| } |
| }, |
| UsedAsCA::No => { |
| <span class="macro">assert_eq!</span>(<span class="number">0</span>, sub_ca_count); |
| }, |
| } |
| |
| <span class="comment">// TODO: revocation. |
| |
| </span><span class="kw">match </span>loop_while_non_fatal_error(trust_anchors, |trust_anchor: <span class="kw-2">&</span>TrustAnchor| { |
| <span class="kw">let </span>trust_anchor_subject = untrusted::Input::from(trust_anchor.subject); |
| <span class="kw">if </span>cert.issuer != trust_anchor_subject { |
| <span class="kw">return </span><span class="prelude-val">Err</span>(Error::UnknownIssuer); |
| } |
| |
| <span class="kw">let </span>name_constraints = trust_anchor.name_constraints.map(untrusted::Input::from); |
| |
| untrusted::read_all_optional(name_constraints, Error::BadDER, |value| { |
| name::check_name_constraints(value, <span class="kw-2">&</span>cert) |
| })<span class="question-mark">?</span>; |
| |
| <span class="kw">let </span>trust_anchor_spki = untrusted::Input::from(trust_anchor.spki); |
| |
| <span class="comment">// TODO: check_distrust(trust_anchor_subject, trust_anchor_spki)?; |
| |
| </span>check_signatures(supported_sig_algs, cert, trust_anchor_spki)<span class="question-mark">?</span>; |
| |
| <span class="prelude-val">Ok</span>(()) |
| }) { |
| <span class="prelude-val">Ok</span>(()) => { |
| <span class="kw">return </span><span class="prelude-val">Ok</span>(()); |
| }, |
| <span class="prelude-val">Err</span>(..) => { |
| <span class="comment">// If the error is not fatal, then keep going. |
| </span>}, |
| } |
| |
| loop_while_non_fatal_error(intermediate_certs, |cert_der| { |
| <span class="kw">let </span>potential_issuer = |
| cert::parse_cert(untrusted::Input::from(<span class="kw-2">*</span>cert_der), EndEntityOrCA::CA(<span class="kw-2">&</span>cert))<span class="question-mark">?</span>; |
| |
| <span class="kw">if </span>potential_issuer.subject != cert.issuer { |
| <span class="kw">return </span><span class="prelude-val">Err</span>(Error::UnknownIssuer); |
| } |
| |
| <span class="comment">// Prevent loops; see RFC 4158 section 5.2. |
| </span><span class="kw">let </span><span class="kw-2">mut </span>prev = cert; |
| <span class="kw">loop </span>{ |
| <span class="kw">if </span>potential_issuer.spki.value() == prev.spki.value() |
| && potential_issuer.subject == prev.subject |
| { |
| <span class="kw">return </span><span class="prelude-val">Err</span>(Error::UnknownIssuer); |
| } |
| <span class="kw">match </span><span class="kw-2">&</span>prev.ee_or_ca { |
| <span class="kw-2">&</span>EndEntityOrCA::EndEntity => { |
| <span class="kw">break</span>; |
| }, |
| <span class="kw-2">&</span>EndEntityOrCA::CA(child_cert) => { |
| prev = child_cert; |
| }, |
| } |
| } |
| |
| untrusted::read_all_optional(potential_issuer.name_constraints, Error::BadDER, |value| { |
| name::check_name_constraints(value, <span class="kw-2">&</span>cert) |
| })<span class="question-mark">?</span>; |
| |
| <span class="kw">let </span>next_sub_ca_count = <span class="kw">match </span>used_as_ca { |
| UsedAsCA::No => sub_ca_count, |
| UsedAsCA::Yes => sub_ca_count + <span class="number">1</span>, |
| }; |
| |
| build_chain( |
| required_eku_if_present, |
| supported_sig_algs, |
| trust_anchors, |
| intermediate_certs, |
| <span class="kw-2">&</span>potential_issuer, |
| time, |
| next_sub_ca_count, |
| ) |
| }) |
| } |
| |
| <span class="kw">fn </span>check_signatures( |
| supported_sig_algs: <span class="kw-2">&</span>[<span class="kw-2">&</span>SignatureAlgorithm], cert_chain: <span class="kw-2">&</span>Cert, |
| trust_anchor_key: untrusted::Input, |
| ) -> <span class="prelude-ty">Result</span><(), Error> { |
| <span class="kw">let </span><span class="kw-2">mut </span>spki_value = trust_anchor_key; |
| <span class="kw">let </span><span class="kw-2">mut </span>cert = cert_chain; |
| <span class="kw">loop </span>{ |
| signed_data::verify_signed_data(supported_sig_algs, spki_value, <span class="kw-2">&</span>cert.signed_data)<span class="question-mark">?</span>; |
| |
| <span class="comment">// TODO: check revocation |
| |
| </span><span class="kw">match </span><span class="kw-2">&</span>cert.ee_or_ca { |
| <span class="kw-2">&</span>EndEntityOrCA::CA(child_cert) => { |
| spki_value = cert.spki.value(); |
| cert = child_cert; |
| }, |
| <span class="kw-2">&</span>EndEntityOrCA::EndEntity => { |
| <span class="kw">break</span>; |
| }, |
| } |
| } |
| |
| <span class="prelude-val">Ok</span>(()) |
| } |
| |
| <span class="kw">fn </span>check_issuer_independent_properties( |
| cert: <span class="kw-2">&</span>Cert, time: time::Time, used_as_ca: UsedAsCA, sub_ca_count: usize, |
| required_eku_if_present: KeyPurposeId, |
| ) -> <span class="prelude-ty">Result</span><(), Error> { |
| <span class="comment">// TODO: check_distrust(trust_anchor_subject, trust_anchor_spki)?; |
| // TODO: Check signature algorithm like mozilla::pkix. |
| // TODO: Check SPKI like mozilla::pkix. |
| // TODO: check for active distrust like mozilla::pkix. |
| |
| // See the comment in `remember_extension` for why we don't check the |
| // KeyUsage extension. |
| |
| </span>cert.validity |
| .read_all(Error::BadDER, |value| check_validity(value, time))<span class="question-mark">?</span>; |
| untrusted::read_all_optional(cert.basic_constraints, Error::BadDER, |value| { |
| check_basic_constraints(value, used_as_ca, sub_ca_count) |
| })<span class="question-mark">?</span>; |
| untrusted::read_all_optional(cert.eku, Error::BadDER, |value| { |
| check_eku(value, required_eku_if_present) |
| })<span class="question-mark">?</span>; |
| |
| <span class="prelude-val">Ok</span>(()) |
| } |
| |
| <span class="comment">// https://tools.ietf.org/html/rfc5280#section-4.1.2.5 |
| </span><span class="kw">fn </span>check_validity(input: <span class="kw-2">&mut </span>untrusted::Reader, time: time::Time) -> <span class="prelude-ty">Result</span><(), Error> { |
| <span class="kw">let </span>not_before = der::time_choice(input)<span class="question-mark">?</span>; |
| <span class="kw">let </span>not_after = der::time_choice(input)<span class="question-mark">?</span>; |
| |
| <span class="kw">if </span>not_before > not_after { |
| <span class="kw">return </span><span class="prelude-val">Err</span>(Error::InvalidCertValidity); |
| } |
| <span class="kw">if </span>time < not_before { |
| <span class="kw">return </span><span class="prelude-val">Err</span>(Error::CertNotValidYet); |
| } |
| <span class="kw">if </span>time > not_after { |
| <span class="kw">return </span><span class="prelude-val">Err</span>(Error::CertExpired); |
| } |
| |
| <span class="comment">// TODO: mozilla::pkix allows the TrustDomain to check not_before and |
| // not_after, to enforce things like a maximum validity period. We should |
| // do something similar. |
| |
| </span><span class="prelude-val">Ok</span>(()) |
| } |
| |
| <span class="attribute">#[derive(Clone, Copy)] |
| </span><span class="kw">enum </span>UsedAsCA { |
| Yes, |
| No, |
| } |
| |
| <span class="kw">fn </span>used_as_ca(ee_or_ca: <span class="kw-2">&</span>EndEntityOrCA) -> UsedAsCA { |
| <span class="kw">match </span>ee_or_ca { |
| <span class="kw-2">&</span>EndEntityOrCA::EndEntity => UsedAsCA::No, |
| <span class="kw-2">&</span>EndEntityOrCA::CA(..) => UsedAsCA::Yes, |
| } |
| } |
| |
| <span class="comment">// https://tools.ietf.org/html/rfc5280#section-4.2.1.9 |
| </span><span class="kw">fn </span>check_basic_constraints( |
| input: <span class="prelude-ty">Option</span><<span class="kw-2">&mut </span>untrusted::Reader>, used_as_ca: UsedAsCA, sub_ca_count: usize, |
| ) -> <span class="prelude-ty">Result</span><(), Error> { |
| <span class="kw">let </span>(is_ca, path_len_constraint) = <span class="kw">match </span>input { |
| <span class="prelude-val">Some</span>(input) => { |
| <span class="kw">let </span>is_ca = der::optional_boolean(input)<span class="question-mark">?</span>; |
| |
| <span class="comment">// https://bugzilla.mozilla.org/show_bug.cgi?id=985025: RFC 5280 |
| // says that a certificate must not have pathLenConstraint unless |
| // it is a CA certificate, but some real-world end-entity |
| // certificates have pathLenConstraint. |
| </span><span class="kw">let </span>path_len_constraint = <span class="kw">if </span>!input.at_end() { |
| <span class="kw">let </span>value = der::small_nonnegative_integer(input)<span class="question-mark">?</span>; |
| <span class="prelude-val">Some</span>(value <span class="kw">as </span>usize) |
| } <span class="kw">else </span>{ |
| <span class="prelude-val">None |
| </span>}; |
| |
| (is_ca, path_len_constraint) |
| }, |
| <span class="prelude-val">None </span>=> (<span class="bool-val">false</span>, <span class="prelude-val">None</span>), |
| }; |
| |
| <span class="kw">match </span>(used_as_ca, is_ca, path_len_constraint) { |
| (UsedAsCA::No, <span class="bool-val">true</span>, <span class="kw">_</span>) => <span class="prelude-val">Err</span>(Error::CAUsedAsEndEntity), |
| (UsedAsCA::Yes, <span class="bool-val">false</span>, <span class="kw">_</span>) => <span class="prelude-val">Err</span>(Error::EndEntityUsedAsCA), |
| (UsedAsCA::Yes, <span class="bool-val">true</span>, <span class="prelude-val">Some</span>(len)) <span class="kw">if </span>sub_ca_count > len => |
| <span class="prelude-val">Err</span>(Error::PathLenConstraintViolated), |
| <span class="kw">_ </span>=> <span class="prelude-val">Ok</span>(()), |
| } |
| } |
| |
| <span class="attribute">#[derive(Clone, Copy)] |
| </span><span class="kw">pub struct </span>KeyPurposeId { |
| oid_value: untrusted::Input<<span class="lifetime">'static</span>>, |
| } |
| |
| <span class="comment">// id-pkix OBJECT IDENTIFIER ::= { 1 3 6 1 5 5 7 } |
| // id-kp OBJECT IDENTIFIER ::= { id-pkix 3 } |
| |
| // id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 } |
| </span><span class="kw">pub static </span>EKU_SERVER_AUTH: KeyPurposeId = KeyPurposeId { |
| oid_value: untrusted::Input::from(<span class="kw-2">&</span>[(<span class="number">40 </span>* <span class="number">1</span>) + <span class="number">3</span>, <span class="number">6</span>, <span class="number">1</span>, <span class="number">5</span>, <span class="number">5</span>, <span class="number">7</span>, <span class="number">3</span>, <span class="number">1</span>]), |
| }; |
| |
| <span class="comment">// id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 } |
| </span><span class="kw">pub static </span>EKU_CLIENT_AUTH: KeyPurposeId = KeyPurposeId { |
| oid_value: untrusted::Input::from(<span class="kw-2">&</span>[(<span class="number">40 </span>* <span class="number">1</span>) + <span class="number">3</span>, <span class="number">6</span>, <span class="number">1</span>, <span class="number">5</span>, <span class="number">5</span>, <span class="number">7</span>, <span class="number">3</span>, <span class="number">2</span>]), |
| }; |
| |
| <span class="comment">// id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 } |
| </span><span class="kw">pub static </span>EKU_OCSP_SIGNING: KeyPurposeId = KeyPurposeId { |
| oid_value: untrusted::Input::from(<span class="kw-2">&</span>[(<span class="number">40 </span>* <span class="number">1</span>) + <span class="number">3</span>, <span class="number">6</span>, <span class="number">1</span>, <span class="number">5</span>, <span class="number">5</span>, <span class="number">7</span>, <span class="number">3</span>, <span class="number">9</span>]), |
| }; |
| |
| <span class="comment">// https://tools.ietf.org/html/rfc5280#section-4.2.1.12 |
| // |
| // Notable Differences from RFC 5280: |
| // |
| // * We follow the convention established by Microsoft's implementation and |
| // mozilla::pkix of treating the EKU extension in a CA certificate as a |
| // restriction on the allowable EKUs for certificates issued by that CA. RFC |
| // 5280 doesn't prescribe any meaning to the EKU extension when a certificate |
| // is being used as a CA certificate. |
| // |
| // * We do not recognize anyExtendedKeyUsage. NSS and mozilla::pkix do not |
| // recognize it either. |
| // |
| // * We treat id-Netscape-stepUp as being equivalent to id-kp-serverAuth in CA |
| // certificates (only). Comodo has issued certificates that require this |
| // behavior that don't expire until June 2020. See https://bugzilla.mozilla.org/show_bug.cgi?id=982292. |
| </span><span class="kw">fn </span>check_eku( |
| input: <span class="prelude-ty">Option</span><<span class="kw-2">&mut </span>untrusted::Reader>, required_eku_if_present: KeyPurposeId, |
| ) -> <span class="prelude-ty">Result</span><(), Error> { |
| <span class="kw">match </span>input { |
| <span class="prelude-val">Some</span>(input) => { |
| <span class="kw">loop </span>{ |
| <span class="kw">let </span>value = der::expect_tag_and_get_value(input, der::Tag::OID)<span class="question-mark">?</span>; |
| <span class="kw">if </span>value == required_eku_if_present.oid_value { |
| input.skip_to_end(); |
| <span class="kw">break</span>; |
| } |
| <span class="kw">if </span>input.at_end() { |
| <span class="kw">return </span><span class="prelude-val">Err</span>(Error::RequiredEKUNotFound); |
| } |
| } |
| <span class="prelude-val">Ok</span>(()) |
| }, |
| <span class="prelude-val">None </span>=> { |
| <span class="comment">// http://tools.ietf.org/html/rfc6960#section-4.2.2.2: |
| // "OCSP signing delegation SHALL be designated by the inclusion of |
| // id-kp-OCSPSigning in an extended key usage certificate extension |
| // included in the OCSP response signer's certificate." |
| // |
| // A missing EKU extension generally means "any EKU", but it is |
| // important that id-kp-OCSPSigning is explicit so that a normal |
| // end-entity certificate isn't able to sign trusted OCSP responses |
| // for itself or for other certificates issued by its issuing CA. |
| </span><span class="kw">if </span>required_eku_if_present.oid_value == EKU_OCSP_SIGNING.oid_value { |
| <span class="kw">return </span><span class="prelude-val">Err</span>(Error::RequiredEKUNotFound); |
| } |
| |
| <span class="prelude-val">Ok</span>(()) |
| }, |
| } |
| } |
| |
| <span class="kw">fn </span>loop_while_non_fatal_error<V, F>(values: V, f: F) -> <span class="prelude-ty">Result</span><(), Error> |
| <span class="kw">where |
| </span>V: IntoIterator, |
| F: Fn(V::Item) -> <span class="prelude-ty">Result</span><(), Error>, |
| { |
| <span class="kw">for </span>v <span class="kw">in </span>values { |
| <span class="kw">match </span>f(v) { |
| <span class="prelude-val">Ok</span>(()) => { |
| <span class="kw">return </span><span class="prelude-val">Ok</span>(()); |
| }, |
| <span class="prelude-val">Err</span>(..) => { |
| <span class="comment">// If the error is not fatal, then keep going. |
| </span>}, |
| } |
| } |
| <span class="prelude-val">Err</span>(Error::UnknownIssuer) |
| } |
| </code></pre></div> |
| </section></div></main><div id="rustdoc-vars" data-root-path="../../" data-current-crate="webpki" data-themes="ayu,dark,light" data-resource-suffix="" data-rustdoc-version="1.66.0-nightly (5c8bff74b 2022-10-21)" ></div></body></html> |