/rust/registry/src/index.crates.io-1949cf8c6b5b557f/x509-parser-0.16.0/src/extensions/sct.rs

Source
//! Certificate transparency [RFC6962](https://datatracker.ietf.org/doc/html/rfc6962)
//!
//! Code borrowed from tls-parser crate (file <https://github.com/rusticata/tls-parser/blob/tls-parser-0.11.0/src/certificate_transparency.rs>)

use std::convert::TryInto;

use asn1_rs::FromDer;
use der_parser::error::BerError;
use nom::bytes::streaming::take;
use nom::combinator::{complete, map_parser};
use nom::multi::{length_data, many1};
use nom::number::streaming::{be_u16, be_u64, be_u8};
use nom::IResult;

#[derive(Clone, Debug, PartialEq, Eq)]
pub struct SignedCertificateTimestamp<'a> {
    pub version: CtVersion,
    pub id: CtLogID<'a>,
    pub timestamp: u64,
    pub extensions: CtExtensions<'a>,
    pub signature: DigitallySigned<'a>,
}

/// Certificate Transparency Version as defined in
/// [RFC6962 Section 3.2](https://datatracker.ietf.org/doc/html/rfc6962#section-3.2)
#[derive(Clone, Copy, Debug, PartialEq, Eq)]
pub struct CtVersion(pub u8);

impl CtVersion {
    pub const V1: CtVersion = CtVersion(0);
}

/// LogID as defined in
/// [RFC6962 Section 3.2](https://datatracker.ietf.org/doc/html/rfc6962#section-3.2)
#[derive(Clone, Debug, PartialEq, Eq)]
pub struct CtLogID<'a> {
    pub key_id: &'a [u8; 32],
}

/// CtExtensions as defined in
/// [RFC6962 Section 3.2](https://datatracker.ietf.org/doc/html/rfc6962#section-3.2)
#[derive(Clone, Debug, PartialEq, Eq)]
pub struct CtExtensions<'a>(pub &'a [u8]);

#[derive(Clone, Debug, PartialEq, Eq)]
pub struct DigitallySigned<'a> {
    pub hash_alg_id: u8,
    pub sign_alg_id: u8,
    pub data: &'a [u8],
}

/// Parses a list of Signed Certificate Timestamp entries
pub fn parse_ct_signed_certificate_timestamp_list(
    i: &[u8],
) -> IResult<&[u8], Vec<SignedCertificateTimestamp>, BerError> {
    // use nom::HexDisplay;
    // eprintln!("{}", i.to_hex(16));
    let (rem, b) = <&[u8]>::from_der(i)?;
    let (b, sct_len) = be_u16(b)?;
    let (_, sct_list) = map_parser(
        take(sct_len as usize),
        many1(complete(parse_ct_signed_certificate_timestamp)),
    )(b)?;
    Ok((rem, sct_list))
}

/// Parses as single Signed Certificate Timestamp entry
pub fn parse_ct_signed_certificate_timestamp(
    i: &[u8],
) -> IResult<&[u8], SignedCertificateTimestamp, BerError> {
    map_parser(
        length_data(be_u16),
        parse_ct_signed_certificate_timestamp_content,
    )(i)
}

pub(crate) fn parse_ct_signed_certificate_timestamp_content(
    i: &[u8],
) -> IResult<&[u8], SignedCertificateTimestamp, BerError> {
    let (i, version) = be_u8(i)?;
    let (i, id) = parse_log_id(i)?;
    let (i, timestamp) = be_u64(i)?;
    let (i, extensions) = parse_ct_extensions(i)?;
    let (i, signature) = parse_digitally_signed(i)?;
    let sct = SignedCertificateTimestamp {
        version: CtVersion(version),
        id,
        timestamp,
        extensions,
        signature,
    };
    Ok((i, sct))
}

// Safety: cannot fail, take() returns exactly 32 bytes
fn parse_log_id(i: &[u8]) -> IResult<&[u8], CtLogID, BerError> {
    let (i, key_id) = take(32usize)(i)?;
    Ok((
        i,
        CtLogID {
            key_id: key_id
                .try_into()
                .expect("take(32) is in sync with key_id size"),
        },
    ))
}

fn parse_ct_extensions(i: &[u8]) -> IResult<&[u8], CtExtensions, BerError> {
    let (i, ext_len) = be_u16(i)?;
    let (i, ext_data) = take(ext_len as usize)(i)?;
    Ok((i, CtExtensions(ext_data)))
}

fn parse_digitally_signed(i: &[u8]) -> IResult<&[u8], DigitallySigned, BerError> {
    let (i, hash_alg_id) = be_u8(i)?;
    let (i, sign_alg_id) = be_u8(i)?;
    let (i, data) = length_data(be_u16)(i)?;
    let signed = DigitallySigned {
        hash_alg_id,
        sign_alg_id,
        data,
    };
    Ok((i, signed))
}

Line	Count	Source
1		//! Certificate transparency [RFC6962](https://datatracker.ietf.org/doc/html/rfc6962)
2		//!
3		//! Code borrowed from tls-parser crate (file <https://github.com/rusticata/tls-parser/blob/tls-parser-0.11.0/src/certificate_transparency.rs>)
4
5		use std::convert::TryInto;
6
7		use asn1_rs::FromDer;
8		use der_parser::error::BerError;
9		use nom::bytes::streaming::take;
10		use nom::combinator::{complete, map_parser};
11		use nom::multi::{length_data, many1};
12		use nom::number::streaming::{be_u16, be_u64, be_u8};
13		use nom::IResult;
14
15		#[derive(Clone, Debug, PartialEq, Eq)]
16		pub struct SignedCertificateTimestamp<'a> {
17		pub version: CtVersion,
18		pub id: CtLogID<'a>,
19		pub timestamp: u64,
20		pub extensions: CtExtensions<'a>,
21		pub signature: DigitallySigned<'a>,
22		}
23
24		/// Certificate Transparency Version as defined in
25		/// [RFC6962 Section 3.2](https://datatracker.ietf.org/doc/html/rfc6962#section-3.2)
26		#[derive(Clone, Copy, Debug, PartialEq, Eq)]
27		pub struct CtVersion(pub u8);
28
29		impl CtVersion {
30		pub const V1: CtVersion = CtVersion(0);
31		}
32
33		/// LogID as defined in
34		/// [RFC6962 Section 3.2](https://datatracker.ietf.org/doc/html/rfc6962#section-3.2)
35		#[derive(Clone, Debug, PartialEq, Eq)]
36		pub struct CtLogID<'a> {
37		pub key_id: &'a [u8; 32],
38		}
39
40		/// CtExtensions as defined in
41		/// [RFC6962 Section 3.2](https://datatracker.ietf.org/doc/html/rfc6962#section-3.2)
42		#[derive(Clone, Debug, PartialEq, Eq)]
43		pub struct CtExtensions<'a>(pub &'a [u8]);
44
45		#[derive(Clone, Debug, PartialEq, Eq)]
46		pub struct DigitallySigned<'a> {
47		pub hash_alg_id: u8,
48		pub sign_alg_id: u8,
49		pub data: &'a [u8],
50		}
51
52		/// Parses a list of Signed Certificate Timestamp entries
53	1.05k	pub fn parse_ct_signed_certificate_timestamp_list(
54	1.05k	i: &[u8],
55	1.05k	) -> IResult<&[u8], Vec<SignedCertificateTimestamp>, BerError> {
56		// use nom::HexDisplay;
57		// eprintln!("{}", i.to_hex(16));
58	1.05k	let (rem, b) = <&[u8]>::from_der(i)?;
59	1.05k	let (b, sct_len) = be_u16(b)?;
60	1.05k	let (_, sct_list) = map_parser(
61	1.05k	take(sct_len as usize),
62	1.05k	many1(complete(parse_ct_signed_certificate_timestamp)),
63	1.05k	)(b)?;
64	1.05k	Ok((rem, sct_list))
65	1.05k	}
66
67		/// Parses as single Signed Certificate Timestamp entry
68	4.19k	pub fn parse_ct_signed_certificate_timestamp(
69	4.19k	i: &[u8],
70	4.19k	) -> IResult<&[u8], SignedCertificateTimestamp, BerError> {
71	4.19k	map_parser(
72	4.19k	length_data(be_u16),
73	4.19k	parse_ct_signed_certificate_timestamp_content,
74	4.19k	)(i)
75	4.19k	}
76
77	3.14k	pub(crate) fn parse_ct_signed_certificate_timestamp_content(
78	3.14k	i: &[u8],
79	3.14k	) -> IResult<&[u8], SignedCertificateTimestamp, BerError> {
80	3.14k	let (i, version) = be_u8(i)?;
81	3.14k	let (i, id) = parse_log_id(i)?;
82	3.14k	let (i, timestamp) = be_u64(i)?;
83	3.14k	let (i, extensions) = parse_ct_extensions(i)?;
84	3.14k	let (i, signature) = parse_digitally_signed(i)?;
85	3.13k	let sct = SignedCertificateTimestamp {
86	3.13k	version: CtVersion(version),
87	3.13k	id,
88	3.13k	timestamp,
89	3.13k	extensions,
90	3.13k	signature,
91	3.13k	};
92	3.13k	Ok((i, sct))
93	3.14k	}
94
95		// Safety: cannot fail, take() returns exactly 32 bytes
96	3.14k	fn parse_log_id(i: &[u8]) -> IResult<&[u8], CtLogID, BerError> {
97	3.14k	let (i, key_id) = take(32usize)(i)?;
98	3.14k	Ok((
99	3.14k	i,
100	3.14k	CtLogID {
101	3.14k	key_id: key_id
102	3.14k	.try_into()
103	3.14k	.expect("take(32) is in sync with key_id size"),
104	3.14k	},
105	3.14k	))
106	3.14k	}
107
108	3.14k	fn parse_ct_extensions(i: &[u8]) -> IResult<&[u8], CtExtensions, BerError> {
109	3.14k	let (i, ext_len) = be_u16(i)?;
110	3.14k	let (i, ext_data) = take(ext_len as usize)(i)?;
111	3.14k	Ok((i, CtExtensions(ext_data)))
112	3.14k	}
113
114	3.14k	fn parse_digitally_signed(i: &[u8]) -> IResult<&[u8], DigitallySigned, BerError> {
115	3.14k	let (i, hash_alg_id) = be_u8(i)?;
116	3.14k	let (i, sign_alg_id) = be_u8(i)?;
117	3.14k	let (i, data) = length_data(be_u16)(i)?;
118	3.13k	let signed = DigitallySigned {
119	3.13k	hash_alg_id,
120	3.13k	sign_alg_id,
121	3.13k	data,
122	3.13k	};
123	3.13k	Ok((i, signed))
124	3.14k	}

Coverage Report

Created: 2026-02-14 06:42