/rust/registry/src/index.crates.io-1949cf8c6b5b557f/rustls-webpki-0.102.8/src/x509.rs

Source
// Copyright 2015 Brian Smith.
//
// Permission to use, copy, modify, and/or distribute this software for any
// purpose with or without fee is hereby granted, provided that the above
// copyright notice and this permission notice appear in all copies.
//
// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES
// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR
// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

use crate::der::{self, DerIterator, FromDer, CONSTRUCTED, CONTEXT_SPECIFIC};
use crate::error::{DerTypeId, Error};
use crate::subject_name::GeneralName;

pub(crate) struct Extension<'a> {
    pub(crate) critical: bool,
    pub(crate) id: untrusted::Input<'a>,
    pub(crate) value: untrusted::Input<'a>,
}

impl<'a> Extension<'a> {
    pub(crate) fn unsupported(&self) -> Result<(), Error> {
        match self.critical {
            true => Err(Error::UnsupportedCriticalExtension),
            false => Ok(()),
        }
    }
}

impl<'a> FromDer<'a> for Extension<'a> {
    fn from_der(reader: &mut untrusted::Reader<'a>) -> Result<Self, Error> {
        let id = der::expect_tag(reader, der::Tag::OID)?;
        let critical = bool::from_der(reader)?;
        let value = der::expect_tag(reader, der::Tag::OctetString)?;
        Ok(Extension {
            id,
            critical,
            value,
        })
    }

    const TYPE_ID: DerTypeId = DerTypeId::Extension;
}

pub(crate) fn set_extension_once<T>(
    destination: &mut Option<T>,
    parser: impl Fn() -> Result<T, Error>,
) -> Result<(), Error> {
    match destination {
        // The extension value has already been set, indicating that we encountered it
        // more than once in our serialized data. That's invalid!
        Some(..) => Err(Error::ExtensionValueInvalid),
        None => {
            *destination = Some(parser()?);
            Ok(())
        }
    }
}

pub(crate) fn remember_extension(
    extension: &Extension<'_>,
    mut handler: impl FnMut(u8) -> Result<(), Error>,
) -> Result<(), Error> {
    // ISO arc for standard certificate and CRL extensions.
    // https://www.rfc-editor.org/rfc/rfc5280#appendix-A.2
    static ID_CE: [u8; 2] = oid![2, 5, 29];

    if extension.id.len() != ID_CE.len() + 1
        || !extension.id.as_slice_less_safe().starts_with(&ID_CE)
    {
        return extension.unsupported();
    }

    // safety: we verify len is non-zero and has the correct prefix above.
    let last_octet = *extension.id.as_slice_less_safe().last().unwrap();
    handler(last_octet)
}

/// A certificate revocation list (CRL) distribution point name, describing a source of
/// CRL information for a given certificate as described in RFC 5280 section 4.2.3.13[^1].
///
/// [^1]: <https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.13>
pub(crate) enum DistributionPointName<'a> {
    /// The distribution point name is a relative distinguished name, relative to the CRL issuer.
    NameRelativeToCrlIssuer,
    /// The distribution point name is a sequence of [GeneralName] items.
    FullName(DerIterator<'a, GeneralName<'a>>),
}

impl<'a> FromDer<'a> for DistributionPointName<'a> {
    fn from_der(reader: &mut untrusted::Reader<'a>) -> Result<Self, Error> {
        // RFC 5280 section §4.2.1.13:
        //   When the distributionPoint field is present, it contains either a
        //   SEQUENCE of general names or a single value, nameRelativeToCRLIssuer
        const FULL_NAME_TAG: u8 = CONTEXT_SPECIFIC | CONSTRUCTED;
        const NAME_RELATIVE_TO_CRL_ISSUER_TAG: u8 = CONTEXT_SPECIFIC | CONSTRUCTED | 1;

        let (tag, value) = der::read_tag_and_get_value(reader)?;
        match tag {
            FULL_NAME_TAG => Ok(DistributionPointName::FullName(DerIterator::new(value))),
            NAME_RELATIVE_TO_CRL_ISSUER_TAG => Ok(DistributionPointName::NameRelativeToCrlIssuer),
            _ => Err(Error::BadDer),
        }
    }

    const TYPE_ID: DerTypeId = DerTypeId::DistributionPointName;
}

Coverage Report

Created: 2025-10-29 07:05

Line	Count	Source
1		// Copyright 2015 Brian Smith.
2		//
3		// Permission to use, copy, modify, and/or distribute this software for any
4		// purpose with or without fee is hereby granted, provided that the above
5		// copyright notice and this permission notice appear in all copies.
6		//
7		// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES
8		// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9		// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR
10		// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11		// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
12		// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
13		// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
14
15		use crate::der::{self, DerIterator, FromDer, CONSTRUCTED, CONTEXT_SPECIFIC};
16		use crate::error::{DerTypeId, Error};
17		use crate::subject_name::GeneralName;
18
19		pub(crate) struct Extension<'a> {
20		pub(crate) critical: bool,
21		pub(crate) id: untrusted::Input<'a>,
22		pub(crate) value: untrusted::Input<'a>,
23		}
24
25		impl<'a> Extension<'a> {
26	0	pub(crate) fn unsupported(&self) -> Result<(), Error> {
27	0	match self.critical {
28	0	true => Err(Error::UnsupportedCriticalExtension),
29	0	false => Ok(()),
30		}
31	0	}
32		}
33
34		impl<'a> FromDer<'a> for Extension<'a> {
35	0	fn from_der(reader: &mut untrusted::Reader<'a>) -> Result<Self, Error> {
36	0	let id = der::expect_tag(reader, der::Tag::OID)?;
37	0	let critical = bool::from_der(reader)?;
38	0	let value = der::expect_tag(reader, der::Tag::OctetString)?;
39	0	Ok(Extension {
40	0	id,
41	0	critical,
42	0	value,
43	0	})
44	0	}
45
46		const TYPE_ID: DerTypeId = DerTypeId::Extension;
47		}
48
49	0	pub(crate) fn set_extension_once<T>(
50	0	destination: &mut Option<T>,
51	0	parser: impl Fn() -> Result<T, Error>,
52	0	) -> Result<(), Error> {
53	0	match destination {
54		// The extension value has already been set, indicating that we encountered it
55		// more than once in our serialized data. That's invalid!
56	0	Some(..) => Err(Error::ExtensionValueInvalid),
57		None => {
58	0	*destination = Some(parser()?);
59	0	Ok(())
60		}
61		}
62	0	} Unexecuted instantiation: webpki::x509::set_extension_once::<rustls_pki_types::UnixTime, <webpki::crl::types::BorrowedRevokedCert>::remember_extension::{closure#0}::{closure#1}> Unexecuted instantiation: webpki::x509::set_extension_once::<webpki::der::BitStringFlags, <webpki::crl::types::IssuingDistributionPoint>::from_der::{closure#0}::{closure#1}> Unexecuted instantiation: webpki::x509::set_extension_once::<webpki::der::BitStringFlags, <webpki::cert::CrlDistributionPoint as webpki::der::FromDer>::from_der::{closure#0}::{closure#1}> Unexecuted instantiation: webpki::x509::set_extension_once::<untrusted::input::Input, <webpki::crl::types::BorrowedCertRevocationList>::remember_extension::{closure#0}::{closure#1}> Unexecuted instantiation: webpki::x509::set_extension_once::<untrusted::input::Input, <webpki::crl::types::IssuingDistributionPoint>::from_der::{closure#0}::{closure#0}> Unexecuted instantiation: webpki::x509::set_extension_once::<untrusted::input::Input, webpki::cert::remember_cert_extension::{closure#0}::{closure#0}> Unexecuted instantiation: webpki::x509::set_extension_once::<untrusted::input::Input, <webpki::cert::CrlDistributionPoint as webpki::der::FromDer>::from_der::{closure#0}::{closure#0}> Unexecuted instantiation: webpki::x509::set_extension_once::<untrusted::input::Input, <webpki::cert::CrlDistributionPoint as webpki::der::FromDer>::from_der::{closure#0}::{closure#2}> Unexecuted instantiation: webpki::x509::set_extension_once::<webpki::crl::types::RevocationReason, <webpki::crl::types::BorrowedRevokedCert>::remember_extension::{closure#0}::{closure#0}>
63
64	0	pub(crate) fn remember_extension(
65	0	extension: &Extension<'_>,
66	0	mut handler: impl FnMut(u8) -> Result<(), Error>,
67	0	) -> Result<(), Error> {
68		// ISO arc for standard certificate and CRL extensions.
69		// https://www.rfc-editor.org/rfc/rfc5280#appendix-A.2
70		static ID_CE: [u8; 2] = oid![2, 5, 29];
71
72	0	if extension.id.len() != ID_CE.len() + 1
73	0	\|\| !extension.id.as_slice_less_safe().starts_with(&ID_CE)
74		{
75	0	return extension.unsupported();
76	0	}
77
78		// safety: we verify len is non-zero and has the correct prefix above.
79	0	let last_octet = *extension.id.as_slice_less_safe().last().unwrap();
80	0	handler(last_octet)
81	0	} Unexecuted instantiation: webpki::x509::remember_extension::<<webpki::crl::types::BorrowedCertRevocationList>::remember_extension::{closure#0}> Unexecuted instantiation: webpki::x509::remember_extension::<<webpki::crl::types::BorrowedRevokedCert>::remember_extension::{closure#0}> Unexecuted instantiation: webpki::x509::remember_extension::<webpki::cert::remember_cert_extension::{closure#0}>
82
83		/// A certificate revocation list (CRL) distribution point name, describing a source of
84		/// CRL information for a given certificate as described in RFC 5280 section 4.2.3.13[^1].
85		///
86		/// [^1]: <https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.13>
87		pub(crate) enum DistributionPointName<'a> {
88		/// The distribution point name is a relative distinguished name, relative to the CRL issuer.
89		NameRelativeToCrlIssuer,
90		/// The distribution point name is a sequence of [GeneralName] items.
91		FullName(DerIterator<'a, GeneralName<'a>>),
92		}
93
94		impl<'a> FromDer<'a> for DistributionPointName<'a> {
95	0	fn from_der(reader: &mut untrusted::Reader<'a>) -> Result<Self, Error> {
96		// RFC 5280 section §4.2.1.13:
97		// When the distributionPoint field is present, it contains either a
98		// SEQUENCE of general names or a single value, nameRelativeToCRLIssuer
99		const FULL_NAME_TAG: u8 = CONTEXT_SPECIFIC \| CONSTRUCTED;
100		const NAME_RELATIVE_TO_CRL_ISSUER_TAG: u8 = CONTEXT_SPECIFIC \| CONSTRUCTED \| 1;
101
102	0	let (tag, value) = der::read_tag_and_get_value(reader)?;
103	0	match tag {
104	0	FULL_NAME_TAG => Ok(DistributionPointName::FullName(DerIterator::new(value))),
105	0	NAME_RELATIVE_TO_CRL_ISSUER_TAG => Ok(DistributionPointName::NameRelativeToCrlIssuer),
106	0	_ => Err(Error::BadDer),
107		}
108	0	}
109
110		const TYPE_ID: DerTypeId = DerTypeId::DistributionPointName;
111		}