x509-cert: builder updates #1001
Merged
Commits on Apr 18, 2023
-
x509-cert: builder: implement std::error::Error for Error
Without this, x509-cert::builder::Error can not be used in the pattern of Box<dyn Error>, which is pretty common. Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
-
x509-cert: builder: disable DigitalSignature usage on Root and SubCA …
…keys Per RFC5280, DigitalSignature 'is asserted when the subject public key is used for verifying digital signatures, other than signatures on certificates (bit 5) and CRLs (bit 6)'. Using CA keys to sign random data would definitely be a bad practice and should be avoided. Thus remove the DigitalSignature keyUsage from these certificates. Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
-
x509-cert: builder: use DynSignatureAlgorithmIdentifier for S
RSA PSS implements DynSignatureAlgorithmIdentifier only for the SigningKey, not for the verifying key. To allow using CertificateBuilder with RSA PSS keys require DynSignatureAlgorithmIdentifier implementation on S rather than on S::VerifyingKey. This also follows the following logic: verifying key can possibly verify several kinds of signatures, while for the signing key we must know exact signature kind and parameters. Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
-
x509-cert: builder: don't require mutability of the signer
Signer (unlike SignerMut) is not expected to be mutable. Don't require mutability of the Signer argument. Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
-
x509-cert: builder: make keyEncipherment usage optional
ECDSA keys can not be used for keyEncipherment. Make this keyUsage bit optional. Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
-
x509-cert: test-support/zlint: implement Eq in addition to PartialEq
Add Eq to the list of derived traits to make clippy happy. Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
-
x509-cert: don't require signature's 'derive' feature
There are no dependencies on the "derive" featue of the signature crate. Drop it now. Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
-
x509-cert: builder: follow rules from RFC5280 to set certificate's ve…
…rsion Follow the rules from RFC 5280 Section 4.1.2.1 to set the certificate's version depending on the presence of the extensions and identifiers. Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
-
x509-cert/tests/builder: remove extra to_der/from_der conversion
Remove unused conversion when building RDN fields. Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.