Enum apple_codesign::KnownCertificate

pub enum KnownCertificate {
    AppleComputerIncRoot,
    AppleRootCa,
    AppleRootCaG2Root,
    AppleRootCaG3Root,
    AppleIstCa2G1,
    AppleIstCa8G1,
    ApplicationIntegration,
    ApplicationIntegration2,
    ApplicationIntegrationG3,
    AppleApplicationIntegrationCa5G1,
    DeveloperAuthentication,
    DeveloperIdG1,
    DeveloperIdG2,
    SoftwareUpdate,
    Timestamp,
    WwdrG1,
    WwdrG2,
    WwdrG3,
    WwdrG4,
    WwdrG5,
    WwdrG6,
}

Defines all known Apple certificates.

This crate embeds the raw certificate data for the various known Apple certificate authorities, as advertised at https://www.apple.com/certificateauthority/.

This enumeration defines all the ones we know about. Instances can be dereferenced into concrete CapturedX509Certificate to get at the underlying certificate and access its metadata.

Variants

AppleComputerIncRoot

Apple Computer, Inc. Root Certificate.

C = US, O = “Apple Computer, Inc.”, OU = Apple Computer Certificate Authority, CN = Apple Root Certificate Authority

AppleRootCa

Apple Inc. Root Certificate

C = US, O = Apple Inc., OU = Apple Certification Authority, CN = Apple Root CA

AppleRootCaG2Root

Apple Root CA - G2 Root Certificate

CN = Apple Root CA - G2, OU = Apple Certification Authority, O = Apple Inc., C = US

AppleRootCaG3Root

Apple Root CA - G3 Root Certificate

CN = Apple Root CA - G3, OU = Apple Certification Authority, O = Apple Inc., C = US

AppleIstCa2G1

Apple IST CA 2 - G1 Certificate

CN = Apple IST CA 2 - G1, OU = Certification Authority, O = Apple Inc., C = US

AppleIstCa8G1

Apple IST CA 8 - G1 Certificate

CN = Apple IST CA 8 - G1, OU = Certification Authority, O = Apple Inc., C = US

ApplicationIntegration

Application Integration Certificate

C = US, O = Apple Inc., OU = Apple Certification Authority, CN = Apple Application Integration Certification Authority

ApplicationIntegration2

Application Integration 2 Certificate

CN = Apple Application Integration 2 Certification Authority, OU = Apple Certification Authority, O = Apple Inc., C = US

ApplicationIntegrationG3

Application Integration - G3 Certificate

CN = Apple Application Integration CA - G3, OU = Apple Certification Authority, O = Apple Inc., C = US

AppleApplicationIntegrationCa5G1

Apple Application Integration CA 5 - G1 Certificate

CN = Apple Application Integration CA 5 - G1, OU = Apple Certification Authority, O = Apple Inc., C = US

DeveloperAuthentication

Developer Authentication Certificate

CN = Developer Authentication Certification Authority, OU = Apple Worldwide Developer Relations, O = Apple Inc., C = US

DeveloperIdG1

Developer ID - G1 Certificate

CN = Developer ID Certification Authority, OU = Apple Certification Authority, O = Apple Inc., C = US

DeveloperIdG2

Developer ID - G2 Certificate.

CN = Developer ID Certification Authority, OU = G2, O = Apple Inc., C = US

SoftwareUpdate

Software Update Certificate

CN = Apple Software Update Certification Authority, OU = Certification Authority, O = Apple Inc., C = US

Timestamp

Timestamp Certificate

CN = Apple Timestamp Certification Authority, OU = Apple Certification Authority, O = Apple Inc., C = US

WwdrG1

Worldwide Developer Relations - G1 (Expiring 02/07/2023 21:48:47 UTC) Certificate

C = US, O = Apple Inc., OU = Apple Worldwide Developer Relations, CN = Apple Worldwide Developer Relations Certification Authority

WwdrG2

Worldwide Developer Relations - G2 (Expiring 05/06/2029 23:43:24 UTC) Certificate

CN = Apple Worldwide Developer Relations CA - G2, OU = Apple Certification Authority, O = Apple Inc., C = US

WwdrG3

Worldwide Developer Relations - G3 (Expiring 02/20/2030 00:00:00 UTC) Certificate

CN = Apple Worldwide Developer Relations Certification Authority, OU = G3, O = Apple Inc., C = US

WwdrG4

Worldwide Developer Relations - G4 (Expiring 12/10/2030 00:00:00 UTC) Certificate

CN = Apple Worldwide Developer Relations Certification Authority, OU = G4, O = Apple Inc., C = US

WwdrG5

Worldwide Developer Relations - G5 (Expiring 12/10/2030 00:00:00 UTC) Certificate

CN = Apple Worldwide Developer Relations Certification Authority, OU = G5, O = Apple Inc., C = US

WwdrG6

Worldwide Developer Relations - G6 (Expiring 03/19/2036 00:00:00 UTC) Certificate

CN = Apple Worldwide Developer Relations Certification Authority, OU = G6, O = Apple Inc., C = US

Implementations

impl KnownCertificate

pub fn all() -> &'static [&'static CapturedX509Certificate]

Obtain a slice of all known KnownCertificate.

If you want to iterate over all certificates and find one, you can use this.

Examples found in repository

src/certificate.rs (line 887)

    fn is_apple_intermediate_ca(&self) -> bool {
        KnownCertificate::all().contains(&self) && !KnownCertificate::all_roots().contains(&self)
    }

    fn apple_ca_extension(&self) -> Option<CertificateAuthorityExtension> {
        let cert: &x509_certificate::rfc5280::Certificate = self.as_ref();

        cert.iter_extensions().find_map(|extension| {
            if let Ok(value) = CertificateAuthorityExtension::try_from(&extension.id) {
                Some(value)
            } else {
                None
            }
        })
    }

    fn apple_extended_key_usage_purposes(&self) -> Vec<ExtendedKeyUsagePurpose> {
        let cert: &x509_certificate::rfc5280::Certificate = self.as_ref();

        cert.iter_extensions()
            .filter_map(|extension| {
                if extension.id.as_ref() == OID_EXTENDED_KEY_USAGE.as_ref() {
                    if let Some(oid) = extension.try_decode_sequence_single_oid() {
                        if let Ok(purpose) = ExtendedKeyUsagePurpose::try_from(&oid) {
                            Some(purpose)
                        } else {
                            None
                        }
                    } else {
                        None
                    }
                } else {
                    None
                }
            })
            .collect::<Vec<_>>()
    }

    fn apple_code_signing_extensions(&self) -> Vec<CodeSigningCertificateExtension> {
        let cert: &x509_certificate::rfc5280::Certificate = self.as_ref();

        cert.iter_extensions()
            .filter_map(|extension| {
                if let Ok(value) = CodeSigningCertificateExtension::try_from(&extension.id) {
                    Some(value)
                } else {
                    None
                }
            })
            .collect::<Vec<_>>()
    }

    fn apple_guess_profile(&self) -> Option<CertificateProfile> {
        let ekus = self.apple_extended_key_usage_purposes();
        let signing = self.apple_code_signing_extensions();

        // Some EKUs uniquely identify the certificate profile. We don't yet handle
        // all EKUs because we don't have profiles defined for them.
        //
        // Ideally this logic stays in sync with apple_certificate_profile().
        if ekus.contains(&ExtendedKeyUsagePurpose::DeveloperIdInstaller) {
            Some(CertificateProfile::DeveloperIdInstaller)
        } else if ekus.contains(&ExtendedKeyUsagePurpose::ThirdPartyMacDeveloperInstaller) {
            Some(CertificateProfile::MacInstallerDistribution)
            // That's all the EKUs that have a 1:1 to CertificateProfile. Now look at
            // code signing extensions.
        } else if signing.contains(&CodeSigningCertificateExtension::DeveloperIdApplication) {
            Some(CertificateProfile::DeveloperIdApplication)
        } else if signing.contains(&CodeSigningCertificateExtension::IPhoneDeveloper)
            && signing.contains(&CodeSigningCertificateExtension::MacDeveloper)
        {
            Some(CertificateProfile::AppleDevelopment)
        } else if signing.contains(&CodeSigningCertificateExtension::AppleMacAppSigningDevelopment)
            && signing
                .contains(&CodeSigningCertificateExtension::AppleDeveloperCertificateSubmission)
        {
            Some(CertificateProfile::AppleDistribution)
        } else {
            None
        }
    }

    fn apple_issuing_chain(&self) -> Vec<KnownCertificate> {
        self.resolve_signing_chain(KnownCertificate::all().iter().copied())
            .into_iter()
            .filter_map(|cert| KnownCertificate::try_from(cert).ok())
            .collect::<Vec<_>>()
    }

    fn chains_to_apple_root_ca(&self) -> bool {
        if self.is_apple_root_ca() {
            true
        } else {
            self.resolve_signing_chain(KnownCertificate::all().iter().copied())
                .into_iter()
                .any(|cert| cert.is_apple_root_ca())
        }
    }

    fn apple_root_certificate_chain(&self) -> Option<Vec<CapturedX509Certificate>> {
        let mut chain = vec![self.clone()];

        for cert in self.resolve_signing_chain(KnownCertificate::all().iter().copied()) {
            chain.push(cert.clone());

            if cert.is_apple_root_ca() {
                break;
            }
        }

        if chain.last().unwrap().is_apple_root_ca() {
            Some(chain)
        } else {
            None
        }
    }

pub fn all_roots() -> &'static [&'static CapturedX509Certificate]

All of Apple’s known root certificate authority certificates.

Examples found in repository

src/certificate.rs (line 883)

    fn is_apple_root_ca(&self) -> bool {
        KnownCertificate::all_roots().contains(&self)
    }

    fn is_apple_intermediate_ca(&self) -> bool {
        KnownCertificate::all().contains(&self) && !KnownCertificate::all_roots().contains(&self)
    }

Methods from Deref<Target = CapturedX509Certificate>

pub fn constructed_data(&self) -> &[u8]

Obtain the DER data that was used to construct this instance.

The data is guaranteed to not have been modified since the instance was constructed.

pub fn encode_pem(&self) -> String

Encode the original contents of this certificate to PEM.

pub fn verify_signed_by_certificate(
    &self,
    other: impl AsRef<X509Certificate>
) -> Result<(), X509CertificateError>

Verify that another certificate, other, signed this certificate.

If this is a self-signed certificate, you can pass self as the 2nd argument.

This function isn’t exposed on X509Certificate because the exact bytes constituting the certificate’s internals need to be consulted to verify signatures. And since this type tracks the underlying bytes, we are guaranteed to have a pristine copy.

pub fn verify_signed_data(
    &self,
    signed_data: impl AsRef<[u8]>,
    signature: impl AsRef<[u8]>
) -> Result<(), X509CertificateError>

Verify a signature over signed data purportedly signed by this certificate.

This is a wrapper to Self::verify_signed_data_with_algorithm() that will derive the verification algorithm from the public key type type and the signature algorithm indicated in this certificate. Typically these align. However, it is possible for a signature to be produced with a different digest algorithm from that indicated in this certificate.

pub fn verify_signed_data_with_algorithm(
    &self,
    signed_data: impl AsRef<[u8]>,
    signature: impl AsRef<[u8]>,
    verify_algorithm: &'static (dyn VerificationAlgorithm + 'static)
) -> Result<(), X509CertificateError>

Verify a signature over signed data using an explicit verification algorithm.

This is like Self::verify_signed_data() except the verification algorithm to use is passed in instead of derived from the default algorithm for the signing key’s type.

pub fn verify_signed_by_public_key(
    &self,
    public_key_data: impl AsRef<[u8]>
) -> Result<(), X509CertificateError>

Verifies that this certificate was cryptographically signed using raw public key data from a signing key.

This function does the low-level work of extracting the signature and verification details from the current certificate and figuring out the correct combination of cryptography settings to apply to perform signature verification.

In many cases, an X.509 certificate is signed by another certificate. And since the public key is embedded in the X.509 certificate, it is easier to go through Self::verify_signed_by_certificate instead.

pub fn find_signing_certificate<'a>(
    &self,
    certs: impl Iterator<Item = &'a CapturedX509Certificate>
) -> Option<&'a CapturedX509Certificate>

Attempt to find the issuing certificate of this one.

Given an iterable of certificates, we find the first certificate where we are able to verify that our signature was made by their public key.

This function can yield false negatives for cases where we don’t support the signature algorithm on the incoming certificates.

pub fn resolve_signing_chain<'a>(
    &self,
    certs: impl Iterator<Item = &'a CapturedX509Certificate>
) -> Vec<&'a CapturedX509Certificate, Global>

Attempt to resolve the signing chain of this certificate.

Given an iterable of certificates, we recursively resolve the chain of certificates that signed this one until we are no longer able to find any more certificates in the input set.

Like Self::find_signing_certificate, this can yield false negatives (read: an incomplete chain) due to run-time failures, such as lack of support for a certificate’s signature algorithm.

As a certificate is encountered, it is removed from the set of future candidates.

The traversal ends when we get to an identical certificate (its DER data is equivalent) or we couldn’t find a certificate in the remaining set that signed the last one.

Because we need to recursively verify certificates, the incoming iterator is buffered.

Methods from Deref<Target = X509Certificate>

pub fn serial_number_asn1(&self) -> &Integer

Obtain the serial number as the ASN.1 Integer type.

pub fn subject_name(&self) -> &Name

Obtain the certificate’s subject, as its ASN.1 Name type.

pub fn subject_common_name(&self) -> Option<String>

Obtain the Common Name (CN) attribute from the certificate’s subject, if set and decodable.

pub fn issuer_name(&self) -> &Name

Obtain the certificate’s issuer, as its ASN.1 Name type.

pub fn issuer_common_name(&self) -> Option<String>

Obtain the Common Name (CN) attribute from the certificate’s issuer, if set and decodable.

pub fn iter_extensions(&self) -> impl Iterator<Item = &Extension>

Iterate over extensions defined in this certificate.

pub fn encode_der_to(&self, fh: &mut impl Write) -> Result<(), Error>

Encode the certificate data structure using DER encoding.

(This is the common ASN.1 encoding format for X.509 certificates.)

This always serializes the internal ASN.1 data structure. If you call this on a wrapper type that has retained a copy of the original data, this may emit different data than that copy.

pub fn encode_ber_to(&self, fh: &mut impl Write) -> Result<(), Error>

Encode the certificate data structure use BER encoding.

pub fn encode_der(&self) -> Result<Vec<u8, Global>, Error>

Encode the internal ASN.1 data structures to DER.

pub fn encode_ber(&self) -> Result<Vec<u8, Global>, Error>

Obtain the BER encoded representation of this certificate.

pub fn write_pem(&self, fh: &mut impl Write) -> Result<(), Error>

Encode the certificate to PEM.

This will write a human-readable string with ------ BEGIN CERTIFICATE ------- armoring. This is a very common method for encoding certificates.

The underlying binary data is DER encoded.

pub fn encode_pem(&self) -> Result<String, Error>

Encode the certificate to a PEM string.

pub fn key_algorithm(&self) -> Option<KeyAlgorithm>

Attempt to resolve a known KeyAlgorithm used by the private key associated with this certificate.

If this crate isn’t aware of the OID associated with the key algorithm, None is returned.

pub fn key_algorithm_oid(&self) -> &Oid<Bytes>

Obtain the OID of the private key’s algorithm.

pub fn signature_algorithm(&self) -> Option<SignatureAlgorithm>

Obtain the [SignatureAlgorithm this certificate will use.

Returns None if we failed to resolve an instance (probably because we don’t recognize the algorithm).

pub fn signature_algorithm_oid(&self) -> &Oid<Bytes>

Obtain the OID of the signature algorithm this certificate will use.

pub fn signature_signature_algorithm(&self) -> Option<SignatureAlgorithm>

Obtain the SignatureAlgorithm used to sign this certificate.

Returns None if we failed to resolve an instance (probably because we don’t recognize that algorithm).

pub fn signature_signature_algorithm_oid(&self) -> &Oid<Bytes>

Obtain the OID of the signature algorithm used to sign this certificate.

pub fn public_key_data(&self) -> Bytes

Obtain the raw data constituting this certificate’s public key.

A copy of the data is returned.

pub fn rsa_public_key_data(&self) -> Result<RsaPublicKey, X509CertificateError>

Attempt to parse the public key data as RsaPublicKey parameters.

Note that the raw integer value for modulus has a leading 0 byte. So its raw length will be 1 greater than key length. e.g. an RSA 2048 key will have value.modulus.as_slice().len() == 257 instead of 256.

pub fn compare_issuer(&self, other: &X509Certificate) -> Ordering

Compare 2 instances, sorting them so the issuer comes before the issued.

This function examines the Self::issuer_name and Self::subject_name fields of 2 certificates, attempting to sort them so the issuing certificate comes before the issued certificate.

This function performs a strict compare of the ASN.1 Name data. The assumption here is that the issuing certificate’s subject Name is identical to the issued’s issuer Name. This assumption is often true. But it likely isn’t always true, so this function may not produce reliable results.

pub fn subject_is_issuer(&self) -> bool

Whether the subject Name is also the issuer’s Name.

This might be a way of determining if a certificate is self-signed. But there can likely be false negatives due to differences in ASN.1 encoding of the underlying data. So we don’t claim this is a test for being self-signed.

pub fn fingerprint(&self, algorithm: DigestAlgorithm) -> Result<Digest, Error>

Obtain the fingerprint for this certificate given a digest algorithm.

pub fn sha1_fingerprint(&self) -> Result<Digest, Error>

Obtain the SHA-1 fingerprint of this certificate.

pub fn sha256_fingerprint(&self) -> Result<Digest, Error>

Obtain the SHA-256 fingerprint of this certificate.

Trait Implementations

impl AsRef<CapturedX509Certificate> for KnownCertificate

fn as_ref(&self) -> &CapturedX509Certificate

Converts this type into a shared reference of the (usually inferred) input type.

impl Clone for KnownCertificate

fn clone(&self) -> KnownCertificate

Returns a copy of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for KnownCertificate

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Deref for KnownCertificate

type Target = CapturedX509Certificate

The resulting type after dereferencing.

fn deref(&self) -> &Self::Target

Dereferences the value.

impl PartialEq<KnownCertificate> for KnownCertificate

fn eq(&self, other: &KnownCertificate) -> bool

This method tests for self and other values to be equal, and is used by ==.

fn ne(&self, other: &Rhs) -> bool

This method tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.

impl TryFrom<&CapturedX509Certificate> for KnownCertificate

type Error = &'static str

The type returned in the event of a conversion error.

fn try_from(cert: &CapturedX509Certificate) -> Result<Self, Self::Error>

Performs the conversion.

impl Copy for KnownCertificate

impl Eq for KnownCertificate

impl StructuralEq for KnownCertificate

impl StructuralPartialEq for KnownCertificate