diff options
Diffstat (limited to 'src/ext/pkix.rs')
| -rw-r--r-- | src/ext/pkix.rs | 56 |
1 files changed, 39 insertions, 17 deletions
diff --git a/src/ext/pkix.rs b/src/ext/pkix.rs index dec0659..95a5e2b 100644 --- a/src/ext/pkix.rs +++ b/src/ext/pkix.rs @@ -31,7 +31,7 @@ pub use const_oid::db::rfc5280::{ use alloc::vec::Vec; -use der::asn1::OctetStringRef; +use der::asn1::OctetString; /// SubjectKeyIdentifier as defined in [RFC 5280 Section 4.2.1.2]. /// @@ -40,14 +40,19 @@ use der::asn1::OctetStringRef; /// ``` /// /// [RFC 5280 Section 4.2.1.2]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.2 -#[derive(Copy, Clone, Debug, PartialEq, Eq)] -pub struct SubjectKeyIdentifier<'a>(pub OctetStringRef<'a>); +#[derive(Clone, Debug, PartialEq, Eq)] +pub struct SubjectKeyIdentifier(pub OctetString); -impl<'a> AssociatedOid for SubjectKeyIdentifier<'a> { +impl AssociatedOid for SubjectKeyIdentifier { const OID: ObjectIdentifier = ID_CE_SUBJECT_KEY_IDENTIFIER; } -impl_newtype!(SubjectKeyIdentifier<'a>, OctetStringRef<'a>); +impl_newtype!(SubjectKeyIdentifier, OctetString); +impl_extension!(SubjectKeyIdentifier, critical = false); +impl_key_identifier!( + SubjectKeyIdentifier, + (|result: &[u8]| Ok(Self(OctetString::new(result)?))) +); /// SubjectAltName as defined in [RFC 5280 Section 4.2.1.6]. /// @@ -57,13 +62,30 @@ impl_newtype!(SubjectKeyIdentifier<'a>, OctetStringRef<'a>); /// /// [RFC 5280 Section 4.2.1.6]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.6 #[derive(Clone, Debug, Default, PartialEq, Eq)] -pub struct SubjectAltName<'a>(pub name::GeneralNames<'a>); +pub struct SubjectAltName(pub name::GeneralNames); -impl<'a> AssociatedOid for SubjectAltName<'a> { +impl AssociatedOid for SubjectAltName { const OID: ObjectIdentifier = ID_CE_SUBJECT_ALT_NAME; } -impl_newtype!(SubjectAltName<'a>, name::GeneralNames<'a>); +impl_newtype!(SubjectAltName, name::GeneralNames); + +impl crate::ext::AsExtension for SubjectAltName { + fn critical(&self, subject: &crate::name::Name, _extensions: &[super::Extension]) -> bool { + // https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.6 + // Further, if the only subject identity included in the certificate is + // an alternative name form (e.g., an electronic mail address), then the + // subject distinguished name MUST be empty (an empty sequence), and the + // subjectAltName extension MUST be present. If the subject field + // contains an empty sequence, then the issuing CA MUST include a + // subjectAltName extension that is marked as critical. When including + // the subjectAltName extension in a certificate that has a non-empty + // subject distinguished name, conforming CAs SHOULD mark the + // subjectAltName extension as non-critical. + + subject.is_empty() + } +} /// IssuerAltName as defined in [RFC 5280 Section 4.2.1.7]. /// @@ -73,13 +95,14 @@ impl_newtype!(SubjectAltName<'a>, name::GeneralNames<'a>); /// /// [RFC 5280 Section 4.2.1.7]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.7 #[derive(Clone, Debug, Default, PartialEq, Eq)] -pub struct IssuerAltName<'a>(pub name::GeneralNames<'a>); +pub struct IssuerAltName(pub name::GeneralNames); -impl<'a> AssociatedOid for IssuerAltName<'a> { +impl AssociatedOid for IssuerAltName { const OID: ObjectIdentifier = ID_CE_ISSUER_ALT_NAME; } -impl_newtype!(IssuerAltName<'a>, name::GeneralNames<'a>); +impl_newtype!(IssuerAltName, name::GeneralNames); +impl_extension!(IssuerAltName, critical = false); /// SubjectDirectoryAttributes as defined in [RFC 5280 Section 4.2.1.8]. /// @@ -89,16 +112,14 @@ impl_newtype!(IssuerAltName<'a>, name::GeneralNames<'a>); /// /// [RFC 5280 Section 4.2.1.8]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.8 #[derive(Clone, Debug, Default, PartialEq, Eq)] -pub struct SubjectDirectoryAttributes<'a>(pub Vec<AttributeTypeAndValue<'a>>); +pub struct SubjectDirectoryAttributes(pub Vec<AttributeTypeAndValue>); -impl<'a> AssociatedOid for SubjectDirectoryAttributes<'a> { +impl AssociatedOid for SubjectDirectoryAttributes { const OID: ObjectIdentifier = ID_CE_SUBJECT_DIRECTORY_ATTRIBUTES; } -impl_newtype!( - SubjectDirectoryAttributes<'a>, - Vec<AttributeTypeAndValue<'a>> -); +impl_newtype!(SubjectDirectoryAttributes, Vec<AttributeTypeAndValue>); +impl_extension!(SubjectDirectoryAttributes, critical = false); /// InhibitAnyPolicy as defined in [RFC 5280 Section 4.2.1.14]. /// @@ -115,3 +136,4 @@ impl AssociatedOid for InhibitAnyPolicy { } impl_newtype!(InhibitAnyPolicy, u32); +impl_extension!(InhibitAnyPolicy, critical = true); |