x501+x509: CertificateDocument, X509Version, and more additions
#393
Conversation
…ic str option, and expand to cover more OIDs
… to version number
tarcieri
changed the title
CertificateDocument, X509Version, and more additions
x509/src/certificate.rs
Outdated
| @@ -25,6 +28,57 @@ pub fn default_zero() -> u32 { | |||
| /// Version ::= INTEGER { v1(0), v2(1), v3(2) } | |||
| pub const X509_CERT_VERSION: u8 = 2; | |||
|
|
|||
| /// Version identifier for X.509 certificates. In practice, only v3 is used. | |||
| #[derive(Clone, Debug, Copy, PartialEq, Eq, PartialOrd)] | |||
| pub enum X509Version { | |||
There was a problem hiding this comment.
In the spirit of RFC356 I'd suggest simply calling this Version.
That also follows the convention used by other version types in this repo.
There was a problem hiding this comment.
ok. will change as i mop up cargo hack findings.
There was a problem hiding this comment.
#410 allows you to derive this type.
x509/src/certificate.rs
Outdated
| #[allow(unused_imports)] | ||
| use core::convert::TryFrom; | ||
| f(&[ | ||
| &ContextSpecific { | ||
| tag_number: VERSION_TAG, | ||
| tag_mode: TagMode::Explicit, | ||
| value: self.version, | ||
| value: version_value, |
There was a problem hiding this comment.
Seems like just self.version should work here, especially if you make it Copy
There was a problem hiding this comment.
Addressed here (initially I though you meant replace that production with self.version but landed as shown): carl-wallace@c226d37
…conversion to u8 when encoding context specific tag for version field.
…dd a v1 test case, add an invalid version (v7) test case
|
@tarcieri I would like to review this after my derive fixes and other cleanup has been merged. |
| /// it will parse successfully according to this crate's parsing rules. | ||
| #[derive(Clone)] | ||
| #[cfg_attr(docsrs, doc(cfg(feature = "alloc")))] | ||
| pub struct CertificateDocument(Vec<u8>); |
There was a problem hiding this comment.
@tarcieri I know I've implemented one of these document types for pkcs10. However:
-
What is the purpose of them? I don't understand how they are intended to be used. It seems that PEM decoding is implemented through the document types. However, in order to instantiate a document, you have to fully parse the DER. So why not just have the fully parsed type?
-
If there is a good reason for the document types, surely these can be genericized. They are all exactly the same code and differ only by the type of the value decoded therein. So
Document<T: Decodable + Encodable>seems like an obvious win here.
There was a problem hiding this comment.
This seems like a complicated and important enough issue I did a long-form write up on it, so as not to lose the answers to these questions in a PR comment: #421
Some short answers though:
-
The purpose of these types is discussed at length in der:
*Documenttype improvements #421, but in regard to PEM specifically, sinceDecode<'a>is zero-copy and needs to borrow from a slice containing DER, parsing PEM needs to decode DER into a buffer thatDecode<'a>can borrow from. If we had something likeDecodeOwnedwhich didn't need to borrow, documents could be decoded directly from PEM. As it were, this is how thessh-keycrate works, and I just added support for incremental/buffered PEM decoding to thepem-rfc7468crate (pem-rfc7468: buffered Base64 decoder #406) and changed thessh-keycrate to use that (ssh-key: usepem-rfc7468for private key PEM parser #407). But that only works because thessh-keycrate is built entirely around owned types (and doesn't use ASN.1 DER). -
The problem with
Document<T: Decodable + Encodable>is you omitted the lifetime onDecodable<'a>. Since it's a'selfborrow and Rust doesn't actually have a way to notate a'selflifetime you can't notate that on a struct definition, however as I noted in der:*Documenttype improvements #421 it can probably be done by moving the bounds to individual methods soDecodable<'a>can hang offpub fn decode<'a>(&'a self) -> T where T: Decode<'a>
| _ => Err(Self::TAG.value_error()), | ||
| } | ||
| } | ||
| } |
There was a problem hiding this comment.
@carl-wallace All the changes in this file are obsolete if we merge #410 instead.
There was a problem hiding this comment.
Sure. Further review of this until after alignment with changes to dependencies is likely not worthwhile.
| /// id-sha512 OBJECT IDENTIFIER ::= | ||
| /// { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) | ||
| /// csor(3) algorithms(4) hashalgs(2) 3 } | ||
| pub const PKIXALG_SHA512: ObjectIdentifier = ObjectIdentifier::new("2.16.840.1.101.3.4.2.3"); |
There was a problem hiding this comment.
I really don't like the "big pile of OID constants" approach. There has to be a way to organize these better.
There was a problem hiding this comment.
The OIDs are grouped by module with names derived by capitalization, insertion of underscores and addition of a prefix. I'm OK with this approach, but if there is something desired please let me know.
| PKIXALG_SHA512 => "sha512", | ||
| _ => "", | ||
| } | ||
| } |
There was a problem hiding this comment.
I really don't like this function. It smells like OpenSSL. What is the purpose of it?
There was a problem hiding this comment.
Logging and display.
|
|
||
| pub fn default_zero_u8() -> u8 { | ||
| 0 | ||
| } |
There was a problem hiding this comment.
Please don't. Use Default::default.
There was a problem hiding this comment.
As part of the realignment as noted above.
|
outdated |
Modifications resulting from code review of changes to yubikey library and client tool to use x509 crate: