Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Id cert basic ca path len #241

Merged
merged 9 commits into from
Nov 28, 2022
Merged

Id cert basic ca path len #241

Show file tree
Hide file tree
Changes from 7 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
bcf9d4e
Support (and ignore) optional path len contraint in id cert basic ca
Oct 26, 2022
20165ba
Remove println statements
Oct 27, 2022
f128276
Add testcase.
Nov 23, 2022
6633fcb
Undo whitespace changes.
Nov 25, 2022
d45c79d
Merge branch 'main' into id-cert-basic-ca-path-len
Nov 25, 2022
46468ef
Implement own take_basic_constraints in TbsIdCert
Nov 25, 2022
fce47b4
'Reflow.'
partim Nov 25, 2022
b3b5bf9
Rephrase error message.
partim Nov 28, 2022
11cfd04
Replace explicit type with Self where possible.
partim Nov 28, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 35 additions & 1 deletion src/ca/idcert.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -479,7 +479,7 @@ impl TbsIdCert {
let value = OctetString::take_from(cons)?;
Mode::Der.decode(value.into_source(), |content| {
if id == oid::CE_BASIC_CONSTRAINTS {
TbsCert::take_basic_constraints(
TbsIdCert::take_basic_constraints(
content, &mut basic_ca
)
} else if id == oid::CE_SUBJECT_KEY_IDENTIFIER {
Expand Down Expand Up @@ -527,6 +527,32 @@ impl TbsIdCert {
})
}

/// Parses the Basic Constraints extension.
///
/// ```text
/// BasicConstraints ::= SEQUENCE {
/// cA BOOLEAN DEFAULT FALSE,
/// pathLenConstraint INTEGER (0..MAX) OPTIONAL
/// }
/// ```
/// Contrary to RFC 6487 the pathLenConstraint is not forbidden
/// in identity certificates.
fn take_basic_constraints<S: decode::Source>(
cons: &mut decode::Constructed<S>,
basic_ca: &mut Option<bool>,
) -> Result<(), DecodeError<S::Error>> {
if basic_ca.is_some() {
Err(cons.content_err("duplicate Basic Constraints extension"))
}
else {
cons.take_sequence(|cons| {
*basic_ca = Some(cons.take_opt_bool()?.unwrap_or(false));
let _path_len_constraint = cons.take_opt_u64()?;
Ok(())
})
}
}

/// Parses the Authority Key Identifier extension.
///
/// ```text
Expand Down Expand Up @@ -683,6 +709,14 @@ pub mod tests {
let idcert_moment = Time::utc(2012, 1, 1, 0, 0, 0);
idcert.validate_ta_at(idcert_moment).unwrap();
}

#[test]
fn parse_afrinic_ta_id_cert() {
let data = include_bytes!("../../test-data/ca/id_afrinic.cer");
let idcert = IdCert::decode(Bytes::from_static(data)).unwrap();
let idcert_moment = Time::utc(2022, 10, 25, 15, 0, 0);
idcert.validate_ta_at(idcert_moment).unwrap();
}
}

#[cfg(all(test, feature = "softkeys"))]
Expand Down
19 changes: 17 additions & 2 deletions src/ca/idexchange.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -702,12 +702,13 @@ impl ParentResponse {
writer.done()
}

/// Validates and return the IdCert if it is correct and valid.
/// Validates the IdCert and returns it if it is valid.
pub fn validate(&self) -> Result<IdCert, Error> {
self.validate_at(Time::now())
}

fn validate_at(&self, when: Time) -> Result<IdCert, Error> {
/// Validates the IdCert at the given date, and returns it if it is valid.
pub fn validate_at(&self, when: Time) -> Result<IdCert, Error> {
validate_idcert_at(&self.id_cert, when)
}

Expand Down Expand Up @@ -1314,6 +1315,20 @@ mod tests {
assert_eq!(req, re_decoded);
}

#[test]
fn afrinic_parent_response_codec() {
let xml = include_str!("../../test-data/ca/rfc8183/afrinic-parent-response.xml");
let req = ParentResponse::parse(xml.as_bytes()).unwrap();

let re_encoded_xml = req.to_xml_string();
let re_decoded =
ParentResponse::parse(re_encoded_xml.as_bytes()).unwrap();

assert_eq!(req, re_decoded);

let _ta_cert = req.validate().unwrap();
}

#[test]
fn parent_response_krill_0_9() {
let xml = include_str!("../../test-data/ca/rfc8183/krill-0-9-parent-response.xml");
Expand Down
19 changes: 12 additions & 7 deletions src/repository/cert.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1737,15 +1737,20 @@ impl TbsCert {
basic_ca: &mut Option<bool>,
) -> Result<(), DecodeError<S::Error>> {
if basic_ca.is_some() {
Err(cons.content_err("duplicate Basic Contraints extension"))
Err(cons.content_err("duplicate Basic Constraints extension"))
}
else {
*basic_ca = Some(
cons.take_sequence(|cons| {
cons.take_opt_bool()
})?.unwrap_or(false)
);
Ok(())
cons.take_sequence(|cons| {
*basic_ca = Some(cons.take_opt_bool()?.unwrap_or(false));
if cons.take_opt_u64()?.is_some() {
Err(cons.content_err(
"Basic Constraints extension most not use \
pathLenConstraint"
))
} else {
Ok(())
}
})
}
}

Expand Down
Binary file added test-data/ca/id_afrinic.cer
View file
Open in desktop
Binary file not shown.
5 changes: 5 additions & 0 deletions test-data/ca/rfc8183/afrinic-parent-response.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
<?xml version="1.0"?>
<parent_response xmlns="http://www.hactrn.net/uris/rpki/rpki-setup/" version="1" service_uri="https://rpki-rir.dev.mu.afrinic.net/cgi-bin/up-down.cgi/AFRINIC/" parent_handle="AFRINIC" child_handle="F3615BDCAF">
<parent_bpki_ta>MIIGGDCCBACgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgZ0xCzAJBgNVBAYTAlpBMRAwDgYDVQQIDAdHYXV0ZW5nMQwwCgYDVQQHDANKTkIxFDASBgNVBAoMC0FGUklOSUMgTHRkMRwwGgYDVQQLDBNJbmZyYXN0cnVjdHVyZSBVbml0MRUwEwYDVQQDDAxSUEtJIFJvb3QgQ0ExIzAhBgkqhkiG9w0BCQEWFHN5c2FkbWluQGFmcmluaWMubmV0MB4XDTIxMDMwMTA3MjYzOVoXDTMxMDIyNzA3MjYzOVowgZcxCzAJBgNVBAYTAlpBMRAwDgYDVQQIDAdHYXV0ZW5nMRQwEgYDVQQKDAtBRlJJTklDIEx0ZDEcMBoGA1UECwwTSW5mcmFzdHJ1Y3R1cmUgVW5pdDEdMBsGA1UEAwwUUlBLSSBJbnRlcm1lZGlhdGUgQ0ExIzAhBgkqhkiG9w0BCQEWFHN5c2FkbWluQGFmcmluaWMubmV0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAp+ttTAMezX5HbhvssiWH3DOshSzGzzfHbKTIk7gM3q1B9edPSD5FiMGb2/oTo0/OddPxyHkhwXUN0j/gKk/SG8jSefX4CNpuA+UbjgI4z06WGGcINWK0Zg8sGtvQ1QXhBRyMyQT6dIK6O2BU0DAmBSV61OY2jAQjkAnq/eDVDYtk/skZcLbcw8oWiHYpHk4rqWyeCQX80EnH7uOKiZ0NAIMom0QBEHjOrCcrJ9T8+VYWUM6RLB/78VmVO34OFJzTcxhAQRGffzO/EDYGPkOkAYGPtan1ZJuQLzJ7U3c7jP3PZJBBqlr8m77RenJkZgBrnuO4RjbVAG3u95MgvAWrFbaeh7KXgvteXuGyK9Bmo/28vB7Aa/OsaZlOV1nOMX7GGJNFeq7+RAA8uR4mjVuSoQZWv1D04eEkrYU8RmS20O0qVKGTiQsw8l1G2qEK/vHc6iWAeBKUNwAQOJHTUywXkLNmTWSFGYQ+Blerrw35kcd90+zr+WctGBPSRheAiFtaCJD/LdPbtRI5vpnFP2SMVPMw2zup+dtKqPdlh0jORqJsHZoUqbCSX2OLLQds0q/sBNcXcsaPm5RrvfOVaL2hUEdlIQVQ1CCZoqKjvEvszK9EG0EjoCEGysjG0UuyEKUA5XHTAiGfxDt7Z1aiRrCDEaDGpL9mywkXVT845tkuAe8CAwEAAaNmMGQwHQYDVR0OBBYEFN/ZWLI9n30bz+m7j6prmLEtfKVRMB8GA1UdIwQYMBaAFP9YJ31GaEt54LwXCQ8twk6YuxEyMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4ICAQDrM8Cb/XUtviAT7R2zohlhDevXQxvgAsa2fgS8bFqyehjG2xcIZbGy9f/xcbJA+c2uZbi+BXnIUj1+RWTrybWKcQJqC0scwJBKgOeNRWvuzWEBQnTLtgOODl12A9iCyss/N+rrqUqIdlALyY0oM3IC8TCh+vcpYbMAQ+mI38iQNQYTYf89Oo5FZdgm4725gIUQpPZzRUIrPTsFnYVlUUAS88Fcombheu0AEezlpO72IuKaGvAVdXhc7JhkEwv3RXF9OUrOpLQcswttFe3lbf1NFIFfSqO7FW2PSOljqeAgbrHlIYYYJ7WsjwOonqYcdlY1UnylRAQSsnNkWR8N73lbzWslFcZIQYXEz63ImFGdJfVdZX6f1Ev1dHvcuEoFYwaIaBvsvVy9RGEUSIqDSucUszqLn7ViIOJDTmbOWG6X8QN6LbeXUXEoEy9+EQqZO4pnw6YwS34mvj8gkQ3H+w2/n4cBpaUXFcKx+pwBzuhmiz5Aj/AxwSZRbSLc4ZJ2fMOSoC1Ih3iCIgKk+ugzbjtIPBPBM5yQxQwYjo6tun/RbFhdjxcEEEdYvB6/GC/Skdaw3HTlEGJpfeqgkOTX4LZ60YINwSm+v7pZUkFtUPMpIrhInJDlf5aa2eGNw7YrJNbio5WgCpH4gT55LRk0fpFdknejr56gAtFyDGt4/dxybA==</parent_bpki_ta>
<offer/>
</parent_response>