Google Git
Sign in
apache / incubator-teaclave-website / refs/heads/asf-site / . / api-docs / crates-app / src / webpki / verify_cert.rs.html
blob: 66e21bcdf81614fe241feccd5310947613ed25d5 [file] [log] [blame]
<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width, initial-scale=1.0"><meta name="generator" content="rustdoc"><meta name="description" content="Source of the Rust file `/root/.cargo/registry/src/github.com-1ecc6299db9ec823/webpki-0.21.4/src/verify_cert.rs`."><meta name="keywords" content="rust, rustlang, rust-lang"><title>verify_cert.rs - source</title><link rel="preload" as="font" type="font/woff2" crossorigin href="../../SourceSerif4-Regular.ttf.woff2"><link rel="preload" as="font" type="font/woff2" crossorigin href="../../FiraSans-Regular.woff2"><link rel="preload" as="font" type="font/woff2" crossorigin href="../../FiraSans-Medium.woff2"><link rel="preload" as="font" type="font/woff2" crossorigin href="../../SourceCodePro-Regular.ttf.woff2"><link rel="preload" as="font" type="font/woff2" crossorigin href="../../SourceSerif4-Bold.ttf.woff2"><link rel="preload" as="font" type="font/woff2" crossorigin href="../../SourceCodePro-Semibold.ttf.woff2"><link rel="stylesheet" href="../../normalize.css"><link rel="stylesheet" href="../../rustdoc.css" id="mainThemeStyle"><link rel="stylesheet" href="../../ayu.css" disabled><link rel="stylesheet" href="../../dark.css" disabled><link rel="stylesheet" href="../../light.css" id="themeStyle"><script id="default-settings" ></script><script src="../../storage.js"></script><script defer src="../../source-script.js"></script><script defer src="../../source-files.js"></script><script defer src="../../main.js"></script><noscript><link rel="stylesheet" href="../../noscript.css"></noscript><link rel="alternate icon" type="image/png" href="../../favicon-16x16.png"><link rel="alternate icon" type="image/png" href="../../favicon-32x32.png"><link rel="icon" type="image/svg+xml" href="../../favicon.svg"></head><body class="rustdoc source"><!--[if lte IE 11]><div class="warning">This old browser is unsupported and will most likely display funky things.</div><![endif]--><nav class="sidebar"><a class="sidebar-logo" href="../../webpki/index.html"><div class="logo-container"><img class="rust-logo" src="../../rust-logo.svg" alt="logo"></div></a></nav><main><div class="width-limiter"><nav class="sub"><a class="sub-logo-container" href="../../webpki/index.html"><img class="rust-logo" src="../../rust-logo.svg" alt="logo"></a><form class="search-form"><div class="search-container"><span></span><input class="search-input" name="search" autocomplete="off" spellcheck="false" placeholder="Click or press ‘S’ to search, ‘?’ for more options…" type="search"><div id="help-button" title="help" tabindex="-1"><a href="../../help.html">?</a></div><div id="settings-menu" tabindex="-1"><a href="../../settings.html" title="settings"><img width="22" height="22" alt="Change settings" src="../../wheel.svg"></a></div></div></form></nav><section id="main-content" class="content"><div class="example-wrap"><pre class="src-line-numbers"><span id="1">1</span>
<span id="2">2</span>
<span id="3">3</span>
<span id="4">4</span>
<span id="5">5</span>
<span id="6">6</span>
<span id="7">7</span>
<span id="8">8</span>
<span id="9">9</span>
<span id="10">10</span>
<span id="11">11</span>
<span id="12">12</span>
<span id="13">13</span>
<span id="14">14</span>
<span id="15">15</span>
<span id="16">16</span>
<span id="17">17</span>
<span id="18">18</span>
<span id="19">19</span>
<span id="20">20</span>
<span id="21">21</span>
<span id="22">22</span>
<span id="23">23</span>
<span id="24">24</span>
<span id="25">25</span>
<span id="26">26</span>
<span id="27">27</span>
<span id="28">28</span>
<span id="29">29</span>
<span id="30">30</span>
<span id="31">31</span>
<span id="32">32</span>
<span id="33">33</span>
<span id="34">34</span>
<span id="35">35</span>
<span id="36">36</span>
<span id="37">37</span>
<span id="38">38</span>
<span id="39">39</span>
<span id="40">40</span>
<span id="41">41</span>
<span id="42">42</span>
<span id="43">43</span>
<span id="44">44</span>
<span id="45">45</span>
<span id="46">46</span>
<span id="47">47</span>
<span id="48">48</span>
<span id="49">49</span>
<span id="50">50</span>
<span id="51">51</span>
<span id="52">52</span>
<span id="53">53</span>
<span id="54">54</span>
<span id="55">55</span>
<span id="56">56</span>
<span id="57">57</span>
<span id="58">58</span>
<span id="59">59</span>
<span id="60">60</span>
<span id="61">61</span>
<span id="62">62</span>
<span id="63">63</span>
<span id="64">64</span>
<span id="65">65</span>
<span id="66">66</span>
<span id="67">67</span>
<span id="68">68</span>
<span id="69">69</span>
<span id="70">70</span>
<span id="71">71</span>
<span id="72">72</span>
<span id="73">73</span>
<span id="74">74</span>
<span id="75">75</span>
<span id="76">76</span>
<span id="77">77</span>
<span id="78">78</span>
<span id="79">79</span>
<span id="80">80</span>
<span id="81">81</span>
<span id="82">82</span>
<span id="83">83</span>
<span id="84">84</span>
<span id="85">85</span>
<span id="86">86</span>
<span id="87">87</span>
<span id="88">88</span>
<span id="89">89</span>
<span id="90">90</span>
<span id="91">91</span>
<span id="92">92</span>
<span id="93">93</span>
<span id="94">94</span>
<span id="95">95</span>
<span id="96">96</span>
<span id="97">97</span>
<span id="98">98</span>
<span id="99">99</span>
<span id="100">100</span>
<span id="101">101</span>
<span id="102">102</span>
<span id="103">103</span>
<span id="104">104</span>
<span id="105">105</span>
<span id="106">106</span>
<span id="107">107</span>
<span id="108">108</span>
<span id="109">109</span>
<span id="110">110</span>
<span id="111">111</span>
<span id="112">112</span>
<span id="113">113</span>
<span id="114">114</span>
<span id="115">115</span>
<span id="116">116</span>
<span id="117">117</span>
<span id="118">118</span>
<span id="119">119</span>
<span id="120">120</span>
<span id="121">121</span>
<span id="122">122</span>
<span id="123">123</span>
<span id="124">124</span>
<span id="125">125</span>
<span id="126">126</span>
<span id="127">127</span>
<span id="128">128</span>
<span id="129">129</span>
<span id="130">130</span>
<span id="131">131</span>
<span id="132">132</span>
<span id="133">133</span>
<span id="134">134</span>
<span id="135">135</span>
<span id="136">136</span>
<span id="137">137</span>
<span id="138">138</span>
<span id="139">139</span>
<span id="140">140</span>
<span id="141">141</span>
<span id="142">142</span>
<span id="143">143</span>
<span id="144">144</span>
<span id="145">145</span>
<span id="146">146</span>
<span id="147">147</span>
<span id="148">148</span>
<span id="149">149</span>
<span id="150">150</span>
<span id="151">151</span>
<span id="152">152</span>
<span id="153">153</span>
<span id="154">154</span>
<span id="155">155</span>
<span id="156">156</span>
<span id="157">157</span>
<span id="158">158</span>
<span id="159">159</span>
<span id="160">160</span>
<span id="161">161</span>
<span id="162">162</span>
<span id="163">163</span>
<span id="164">164</span>
<span id="165">165</span>
<span id="166">166</span>
<span id="167">167</span>
<span id="168">168</span>
<span id="169">169</span>
<span id="170">170</span>
<span id="171">171</span>
<span id="172">172</span>
<span id="173">173</span>
<span id="174">174</span>
<span id="175">175</span>
<span id="176">176</span>
<span id="177">177</span>
<span id="178">178</span>
<span id="179">179</span>
<span id="180">180</span>
<span id="181">181</span>
<span id="182">182</span>
<span id="183">183</span>
<span id="184">184</span>
<span id="185">185</span>
<span id="186">186</span>
<span id="187">187</span>
<span id="188">188</span>
<span id="189">189</span>
<span id="190">190</span>
<span id="191">191</span>
<span id="192">192</span>
<span id="193">193</span>
<span id="194">194</span>
<span id="195">195</span>
<span id="196">196</span>
<span id="197">197</span>
<span id="198">198</span>
<span id="199">199</span>
<span id="200">200</span>
<span id="201">201</span>
<span id="202">202</span>
<span id="203">203</span>
<span id="204">204</span>
<span id="205">205</span>
<span id="206">206</span>
<span id="207">207</span>
<span id="208">208</span>
<span id="209">209</span>
<span id="210">210</span>
<span id="211">211</span>
<span id="212">212</span>
<span id="213">213</span>
<span id="214">214</span>
<span id="215">215</span>
<span id="216">216</span>
<span id="217">217</span>
<span id="218">218</span>
<span id="219">219</span>
<span id="220">220</span>
<span id="221">221</span>
<span id="222">222</span>
<span id="223">223</span>
<span id="224">224</span>
<span id="225">225</span>
<span id="226">226</span>
<span id="227">227</span>
<span id="228">228</span>
<span id="229">229</span>
<span id="230">230</span>
<span id="231">231</span>
<span id="232">232</span>
<span id="233">233</span>
<span id="234">234</span>
<span id="235">235</span>
<span id="236">236</span>
<span id="237">237</span>
<span id="238">238</span>
<span id="239">239</span>
<span id="240">240</span>
<span id="241">241</span>
<span id="242">242</span>
<span id="243">243</span>
<span id="244">244</span>
<span id="245">245</span>
<span id="246">246</span>
<span id="247">247</span>
<span id="248">248</span>
<span id="249">249</span>
<span id="250">250</span>
<span id="251">251</span>
<span id="252">252</span>
<span id="253">253</span>
<span id="254">254</span>
<span id="255">255</span>
<span id="256">256</span>
<span id="257">257</span>
<span id="258">258</span>
<span id="259">259</span>
<span id="260">260</span>
<span id="261">261</span>
<span id="262">262</span>
<span id="263">263</span>
<span id="264">264</span>
<span id="265">265</span>
<span id="266">266</span>
<span id="267">267</span>
<span id="268">268</span>
<span id="269">269</span>
<span id="270">270</span>
<span id="271">271</span>
<span id="272">272</span>
<span id="273">273</span>
<span id="274">274</span>
<span id="275">275</span>
<span id="276">276</span>
<span id="277">277</span>
<span id="278">278</span>
<span id="279">279</span>
<span id="280">280</span>
<span id="281">281</span>
<span id="282">282</span>
<span id="283">283</span>
<span id="284">284</span>
<span id="285">285</span>
<span id="286">286</span>
<span id="287">287</span>
<span id="288">288</span>
<span id="289">289</span>
<span id="290">290</span>
<span id="291">291</span>
<span id="292">292</span>
<span id="293">293</span>
<span id="294">294</span>
<span id="295">295</span>
<span id="296">296</span>
<span id="297">297</span>
<span id="298">298</span>
<span id="299">299</span>
<span id="300">300</span>
<span id="301">301</span>
<span id="302">302</span>
<span id="303">303</span>
<span id="304">304</span>
<span id="305">305</span>
<span id="306">306</span>
<span id="307">307</span>
<span id="308">308</span>
<span id="309">309</span>
<span id="310">310</span>
<span id="311">311</span>
<span id="312">312</span>
<span id="313">313</span>
<span id="314">314</span>
<span id="315">315</span>
<span id="316">316</span>
<span id="317">317</span>
<span id="318">318</span>
<span id="319">319</span>
<span id="320">320</span>
<span id="321">321</span>
<span id="322">322</span>
<span id="323">323</span>
<span id="324">324</span>
<span id="325">325</span>
<span id="326">326</span>
<span id="327">327</span>
<span id="328">328</span>
<span id="329">329</span>
<span id="330">330</span>
<span id="331">331</span>
<span id="332">332</span>
<span id="333">333</span>
<span id="334">334</span>
<span id="335">335</span>
</pre><pre class="rust"><code><span class="comment">// Copyright 2015 Brian Smith.
//
// Permission to use, copy, modify, and/or distribute this software for any
// purpose with or without fee is hereby granted, provided that the above
// copyright notice and this permission notice appear in all copies.
//
// THE SOFTWARE IS PROVIDED &quot;AS IS&quot; AND THE AUTHORS DISCLAIM ALL WARRANTIES
// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR
// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
</span><span class="kw">use crate</span>::{
cert::{<span class="self">self</span>, Cert, EndEntityOrCA},
der, name, signed_data, time, Error, SignatureAlgorithm, TrustAnchor,
};
<span class="kw">pub fn </span>build_chain(
required_eku_if_present: KeyPurposeId, supported_sig_algs: <span class="kw-2">&amp;</span>[<span class="kw-2">&amp;</span>SignatureAlgorithm],
trust_anchors: <span class="kw-2">&amp;</span>[TrustAnchor], intermediate_certs: <span class="kw-2">&amp;</span>[<span class="kw-2">&amp;</span>[u8]], cert: <span class="kw-2">&amp;</span>Cert, time: time::Time,
sub_ca_count: usize,
) -&gt; <span class="prelude-ty">Result</span>&lt;(), Error&gt; {
<span class="kw">let </span>used_as_ca = used_as_ca(<span class="kw-2">&amp;</span>cert.ee_or_ca);
check_issuer_independent_properties(
cert,
time,
used_as_ca,
sub_ca_count,
required_eku_if_present,
)<span class="question-mark">?</span>;
<span class="comment">// TODO: HPKP checks.
</span><span class="kw">match </span>used_as_ca {
UsedAsCA::Yes =&gt; {
<span class="kw">const </span>MAX_SUB_CA_COUNT: usize = <span class="number">6</span>;
<span class="kw">if </span>sub_ca_count &gt;= MAX_SUB_CA_COUNT {
<span class="kw">return </span><span class="prelude-val">Err</span>(Error::UnknownIssuer);
}
},
UsedAsCA::No =&gt; {
<span class="macro">assert_eq!</span>(<span class="number">0</span>, sub_ca_count);
},
}
<span class="comment">// TODO: revocation.
</span><span class="kw">match </span>loop_while_non_fatal_error(trust_anchors, |trust_anchor: <span class="kw-2">&amp;</span>TrustAnchor| {
<span class="kw">let </span>trust_anchor_subject = untrusted::Input::from(trust_anchor.subject);
<span class="kw">if </span>cert.issuer != trust_anchor_subject {
<span class="kw">return </span><span class="prelude-val">Err</span>(Error::UnknownIssuer);
}
<span class="kw">let </span>name_constraints = trust_anchor.name_constraints.map(untrusted::Input::from);
untrusted::read_all_optional(name_constraints, Error::BadDER, |value| {
name::check_name_constraints(value, <span class="kw-2">&amp;</span>cert)
})<span class="question-mark">?</span>;
<span class="kw">let </span>trust_anchor_spki = untrusted::Input::from(trust_anchor.spki);
<span class="comment">// TODO: check_distrust(trust_anchor_subject, trust_anchor_spki)?;
</span>check_signatures(supported_sig_algs, cert, trust_anchor_spki)<span class="question-mark">?</span>;
<span class="prelude-val">Ok</span>(())
}) {
<span class="prelude-val">Ok</span>(()) =&gt; {
<span class="kw">return </span><span class="prelude-val">Ok</span>(());
},
<span class="prelude-val">Err</span>(..) =&gt; {
<span class="comment">// If the error is not fatal, then keep going.
</span>},
}
loop_while_non_fatal_error(intermediate_certs, |cert_der| {
<span class="kw">let </span>potential_issuer =
cert::parse_cert(untrusted::Input::from(<span class="kw-2">*</span>cert_der), EndEntityOrCA::CA(<span class="kw-2">&amp;</span>cert))<span class="question-mark">?</span>;
<span class="kw">if </span>potential_issuer.subject != cert.issuer {
<span class="kw">return </span><span class="prelude-val">Err</span>(Error::UnknownIssuer);
}
<span class="comment">// Prevent loops; see RFC 4158 section 5.2.
</span><span class="kw">let </span><span class="kw-2">mut </span>prev = cert;
<span class="kw">loop </span>{
<span class="kw">if </span>potential_issuer.spki.value() == prev.spki.value()
&amp;&amp; potential_issuer.subject == prev.subject
{
<span class="kw">return </span><span class="prelude-val">Err</span>(Error::UnknownIssuer);
}
<span class="kw">match </span><span class="kw-2">&amp;</span>prev.ee_or_ca {
<span class="kw-2">&amp;</span>EndEntityOrCA::EndEntity =&gt; {
<span class="kw">break</span>;
},
<span class="kw-2">&amp;</span>EndEntityOrCA::CA(child_cert) =&gt; {
prev = child_cert;
},
}
}
untrusted::read_all_optional(potential_issuer.name_constraints, Error::BadDER, |value| {
name::check_name_constraints(value, <span class="kw-2">&amp;</span>cert)
})<span class="question-mark">?</span>;
<span class="kw">let </span>next_sub_ca_count = <span class="kw">match </span>used_as_ca {
UsedAsCA::No =&gt; sub_ca_count,
UsedAsCA::Yes =&gt; sub_ca_count + <span class="number">1</span>,
};
build_chain(
required_eku_if_present,
supported_sig_algs,
trust_anchors,
intermediate_certs,
<span class="kw-2">&amp;</span>potential_issuer,
time,
next_sub_ca_count,
)
})
}
<span class="kw">fn </span>check_signatures(
supported_sig_algs: <span class="kw-2">&amp;</span>[<span class="kw-2">&amp;</span>SignatureAlgorithm], cert_chain: <span class="kw-2">&amp;</span>Cert,
trust_anchor_key: untrusted::Input,
) -&gt; <span class="prelude-ty">Result</span>&lt;(), Error&gt; {
<span class="kw">let </span><span class="kw-2">mut </span>spki_value = trust_anchor_key;
<span class="kw">let </span><span class="kw-2">mut </span>cert = cert_chain;
<span class="kw">loop </span>{
signed_data::verify_signed_data(supported_sig_algs, spki_value, <span class="kw-2">&amp;</span>cert.signed_data)<span class="question-mark">?</span>;
<span class="comment">// TODO: check revocation
</span><span class="kw">match </span><span class="kw-2">&amp;</span>cert.ee_or_ca {
<span class="kw-2">&amp;</span>EndEntityOrCA::CA(child_cert) =&gt; {
spki_value = cert.spki.value();
cert = child_cert;
},
<span class="kw-2">&amp;</span>EndEntityOrCA::EndEntity =&gt; {
<span class="kw">break</span>;
},
}
}
<span class="prelude-val">Ok</span>(())
}
<span class="kw">fn </span>check_issuer_independent_properties(
cert: <span class="kw-2">&amp;</span>Cert, time: time::Time, used_as_ca: UsedAsCA, sub_ca_count: usize,
required_eku_if_present: KeyPurposeId,
) -&gt; <span class="prelude-ty">Result</span>&lt;(), Error&gt; {
<span class="comment">// TODO: check_distrust(trust_anchor_subject, trust_anchor_spki)?;
// TODO: Check signature algorithm like mozilla::pkix.
// TODO: Check SPKI like mozilla::pkix.
// TODO: check for active distrust like mozilla::pkix.
// See the comment in `remember_extension` for why we don&#39;t check the
// KeyUsage extension.
</span>cert.validity
.read_all(Error::BadDER, |value| check_validity(value, time))<span class="question-mark">?</span>;
untrusted::read_all_optional(cert.basic_constraints, Error::BadDER, |value| {
check_basic_constraints(value, used_as_ca, sub_ca_count)
})<span class="question-mark">?</span>;
untrusted::read_all_optional(cert.eku, Error::BadDER, |value| {
check_eku(value, required_eku_if_present)
})<span class="question-mark">?</span>;
<span class="prelude-val">Ok</span>(())
}
<span class="comment">// https://tools.ietf.org/html/rfc5280#section-4.1.2.5
</span><span class="kw">fn </span>check_validity(input: <span class="kw-2">&amp;mut </span>untrusted::Reader, time: time::Time) -&gt; <span class="prelude-ty">Result</span>&lt;(), Error&gt; {
<span class="kw">let </span>not_before = der::time_choice(input)<span class="question-mark">?</span>;
<span class="kw">let </span>not_after = der::time_choice(input)<span class="question-mark">?</span>;
<span class="kw">if </span>not_before &gt; not_after {
<span class="kw">return </span><span class="prelude-val">Err</span>(Error::InvalidCertValidity);
}
<span class="kw">if </span>time &lt; not_before {
<span class="kw">return </span><span class="prelude-val">Err</span>(Error::CertNotValidYet);
}
<span class="kw">if </span>time &gt; not_after {
<span class="kw">return </span><span class="prelude-val">Err</span>(Error::CertExpired);
}
<span class="comment">// TODO: mozilla::pkix allows the TrustDomain to check not_before and
// not_after, to enforce things like a maximum validity period. We should
// do something similar.
</span><span class="prelude-val">Ok</span>(())
}
<span class="attribute">#[derive(Clone, Copy)]
</span><span class="kw">enum </span>UsedAsCA {
Yes,
No,
}
<span class="kw">fn </span>used_as_ca(ee_or_ca: <span class="kw-2">&amp;</span>EndEntityOrCA) -&gt; UsedAsCA {
<span class="kw">match </span>ee_or_ca {
<span class="kw-2">&amp;</span>EndEntityOrCA::EndEntity =&gt; UsedAsCA::No,
<span class="kw-2">&amp;</span>EndEntityOrCA::CA(..) =&gt; UsedAsCA::Yes,
}
}
<span class="comment">// https://tools.ietf.org/html/rfc5280#section-4.2.1.9
</span><span class="kw">fn </span>check_basic_constraints(
input: <span class="prelude-ty">Option</span>&lt;<span class="kw-2">&amp;mut </span>untrusted::Reader&gt;, used_as_ca: UsedAsCA, sub_ca_count: usize,
) -&gt; <span class="prelude-ty">Result</span>&lt;(), Error&gt; {
<span class="kw">let </span>(is_ca, path_len_constraint) = <span class="kw">match </span>input {
<span class="prelude-val">Some</span>(input) =&gt; {
<span class="kw">let </span>is_ca = der::optional_boolean(input)<span class="question-mark">?</span>;
<span class="comment">// https://bugzilla.mozilla.org/show_bug.cgi?id=985025: RFC 5280
// says that a certificate must not have pathLenConstraint unless
// it is a CA certificate, but some real-world end-entity
// certificates have pathLenConstraint.
</span><span class="kw">let </span>path_len_constraint = <span class="kw">if </span>!input.at_end() {
<span class="kw">let </span>value = der::small_nonnegative_integer(input)<span class="question-mark">?</span>;
<span class="prelude-val">Some</span>(value <span class="kw">as </span>usize)
} <span class="kw">else </span>{
<span class="prelude-val">None
</span>};
(is_ca, path_len_constraint)
},
<span class="prelude-val">None </span>=&gt; (<span class="bool-val">false</span>, <span class="prelude-val">None</span>),
};
<span class="kw">match </span>(used_as_ca, is_ca, path_len_constraint) {
(UsedAsCA::No, <span class="bool-val">true</span>, <span class="kw">_</span>) =&gt; <span class="prelude-val">Err</span>(Error::CAUsedAsEndEntity),
(UsedAsCA::Yes, <span class="bool-val">false</span>, <span class="kw">_</span>) =&gt; <span class="prelude-val">Err</span>(Error::EndEntityUsedAsCA),
(UsedAsCA::Yes, <span class="bool-val">true</span>, <span class="prelude-val">Some</span>(len)) <span class="kw">if </span>sub_ca_count &gt; len =&gt;
<span class="prelude-val">Err</span>(Error::PathLenConstraintViolated),
<span class="kw">_ </span>=&gt; <span class="prelude-val">Ok</span>(()),
}
}
<span class="attribute">#[derive(Clone, Copy)]
</span><span class="kw">pub struct </span>KeyPurposeId {
oid_value: untrusted::Input&lt;<span class="lifetime">&#39;static</span>&gt;,
}
<span class="comment">// id-pkix OBJECT IDENTIFIER ::= { 1 3 6 1 5 5 7 }
// id-kp OBJECT IDENTIFIER ::= { id-pkix 3 }
// id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 }
</span><span class="kw">pub static </span>EKU_SERVER_AUTH: KeyPurposeId = KeyPurposeId {
oid_value: untrusted::Input::from(<span class="kw-2">&amp;</span>[(<span class="number">40 </span>* <span class="number">1</span>) + <span class="number">3</span>, <span class="number">6</span>, <span class="number">1</span>, <span class="number">5</span>, <span class="number">5</span>, <span class="number">7</span>, <span class="number">3</span>, <span class="number">1</span>]),
};
<span class="comment">// id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 }
</span><span class="kw">pub static </span>EKU_CLIENT_AUTH: KeyPurposeId = KeyPurposeId {
oid_value: untrusted::Input::from(<span class="kw-2">&amp;</span>[(<span class="number">40 </span>* <span class="number">1</span>) + <span class="number">3</span>, <span class="number">6</span>, <span class="number">1</span>, <span class="number">5</span>, <span class="number">5</span>, <span class="number">7</span>, <span class="number">3</span>, <span class="number">2</span>]),
};
<span class="comment">// id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 }
</span><span class="kw">pub static </span>EKU_OCSP_SIGNING: KeyPurposeId = KeyPurposeId {
oid_value: untrusted::Input::from(<span class="kw-2">&amp;</span>[(<span class="number">40 </span>* <span class="number">1</span>) + <span class="number">3</span>, <span class="number">6</span>, <span class="number">1</span>, <span class="number">5</span>, <span class="number">5</span>, <span class="number">7</span>, <span class="number">3</span>, <span class="number">9</span>]),
};
<span class="comment">// https://tools.ietf.org/html/rfc5280#section-4.2.1.12
//
// Notable Differences from RFC 5280:
//
// * We follow the convention established by Microsoft&#39;s implementation and
// mozilla::pkix of treating the EKU extension in a CA certificate as a
// restriction on the allowable EKUs for certificates issued by that CA. RFC
// 5280 doesn&#39;t prescribe any meaning to the EKU extension when a certificate
// is being used as a CA certificate.
//
// * We do not recognize anyExtendedKeyUsage. NSS and mozilla::pkix do not
// recognize it either.
//
// * We treat id-Netscape-stepUp as being equivalent to id-kp-serverAuth in CA
// certificates (only). Comodo has issued certificates that require this
// behavior that don&#39;t expire until June 2020. See https://bugzilla.mozilla.org/show_bug.cgi?id=982292.
</span><span class="kw">fn </span>check_eku(
input: <span class="prelude-ty">Option</span>&lt;<span class="kw-2">&amp;mut </span>untrusted::Reader&gt;, required_eku_if_present: KeyPurposeId,
) -&gt; <span class="prelude-ty">Result</span>&lt;(), Error&gt; {
<span class="kw">match </span>input {
<span class="prelude-val">Some</span>(input) =&gt; {
<span class="kw">loop </span>{
<span class="kw">let </span>value = der::expect_tag_and_get_value(input, der::Tag::OID)<span class="question-mark">?</span>;
<span class="kw">if </span>value == required_eku_if_present.oid_value {
input.skip_to_end();
<span class="kw">break</span>;
}
<span class="kw">if </span>input.at_end() {
<span class="kw">return </span><span class="prelude-val">Err</span>(Error::RequiredEKUNotFound);
}
}
<span class="prelude-val">Ok</span>(())
},
<span class="prelude-val">None </span>=&gt; {
<span class="comment">// http://tools.ietf.org/html/rfc6960#section-4.2.2.2:
// &quot;OCSP signing delegation SHALL be designated by the inclusion of
// id-kp-OCSPSigning in an extended key usage certificate extension
// included in the OCSP response signer&#39;s certificate.&quot;
//
// A missing EKU extension generally means &quot;any EKU&quot;, but it is
// important that id-kp-OCSPSigning is explicit so that a normal
// end-entity certificate isn&#39;t able to sign trusted OCSP responses
// for itself or for other certificates issued by its issuing CA.
</span><span class="kw">if </span>required_eku_if_present.oid_value == EKU_OCSP_SIGNING.oid_value {
<span class="kw">return </span><span class="prelude-val">Err</span>(Error::RequiredEKUNotFound);
}
<span class="prelude-val">Ok</span>(())
},
}
}
<span class="kw">fn </span>loop_while_non_fatal_error&lt;V, F&gt;(values: V, f: F) -&gt; <span class="prelude-ty">Result</span>&lt;(), Error&gt;
<span class="kw">where
</span>V: IntoIterator,
F: Fn(V::Item) -&gt; <span class="prelude-ty">Result</span>&lt;(), Error&gt;,
{
<span class="kw">for </span>v <span class="kw">in </span>values {
<span class="kw">match </span>f(v) {
<span class="prelude-val">Ok</span>(()) =&gt; {
<span class="kw">return </span><span class="prelude-val">Ok</span>(());
},
<span class="prelude-val">Err</span>(..) =&gt; {
<span class="comment">// If the error is not fatal, then keep going.
</span>},
}
}
<span class="prelude-val">Err</span>(Error::UnknownIssuer)
}
</code></pre></div>
</section></div></main><div id="rustdoc-vars" data-root-path="../../" data-current-crate="webpki" data-themes="ayu,dark,light" data-resource-suffix="" data-rustdoc-version="1.66.0-nightly (5c8bff74b 2022-10-21)" ></div></body></html>