attestation_validator/

lib.rs

#![doc = include_str!("../README.md")]
#![deny(missing_docs)]

use std::{
    collections::HashMap,
    io::{BufReader, Read, Seek},
};

use x509_parser::{
    error::X509Error,
    pem::Pem,
    prelude::{FromDer, X509Certificate},
};

/// Error when parsing artifacts or performing validation.
#[non_exhaustive]
#[derive(Debug, thiserror::Error)]
pub enum Error {
    /// X509 error.
    #[error("X509 error")]
    X509(#[from] x509_parser::error::X509Error),

    /// PEM format error.
    #[error("PEM error")]
    Pem(#[from] x509_parser::error::PEMError),

    /// Expected OID has not been found.
    #[error("Expected to find OID {oid} but it is missing")]
    OidMissing {
        /// The OID that was expected.
        oid: String,
    },

    /// Unexpected field value.
    #[error("Field has unexpected value")]
    UnexpectedFieldValue {
        /// Field description.
        field: String,

        /// Expected value.
        expected: String,

        /// Actual value.
        actual: String,
    },

    /// Expected to find a certificate.
    #[error("Certificate is missing")]
    CertificateMissing,
}

impl From<x509_parser::asn1_rs::Err<x509_parser::error::X509Error>> for Error {
    fn from(value: x509_parser::asn1_rs::Err<x509_parser::error::X509Error>) -> Self {
        use x509_parser::nom::Err;
        let inner = match value {
            Err::Incomplete(_) => X509Error::Generic,
            Err::Error(e) | Err::Failure(e) => e,
        };
        Self::X509(inner)
    }
}

/// Library-specific result type.
pub type Result<T> = std::result::Result<T, Error>;

/// Attestation validator.
#[derive(Default, Debug)]
pub struct Validator {
    cert_chain: Vec<OwnedCert>,
}

#[derive(Debug)]
struct OwnedCert {
    contents: Vec<u8>,
}

impl OwnedCert {
    fn new(contents: Vec<u8>) -> Self {
        Self { contents }
    }
}

impl Validator {
    fn add_and_validate(&mut self, der: Vec<u8>) -> Result<()> {
        if let Some(parent) = self.cert_chain.last() {
            let parent = X509Certificate::from_der(&parent.contents)?.1;
            let current = X509Certificate::from_der(&der)?.1;
            current.verify_signature(Some(parent.public_key()))?;
        }
        self.cert_chain.push(OwnedCert::new(der));
        Ok(())
    }

    /// Adds one or more PEM-encoded certificates from the reader to the certificate chain.
    ///
    /// Adding certificate triggers chain validation.
    ///
    /// # Errors
    ///
    /// Returns an error if PEM parsing fails or certificate chain validation fails.
    pub fn add_from_pem(&mut self, reader: impl Read + Seek) -> Result<()> {
        for pem in Pem::iter_from_reader(BufReader::new(reader)) {
            let pem = pem?;
            self.add_and_validate(pem.contents)?;
        }
        Ok(())
    }

    /// Add one raw, binary DER-encoded certificate to the certificate chain.
    ///
    /// Adding certificate triggers chain validation.
    ///
    /// # Errors
    ///
    /// Returns an error if DER parsing fails or certificate chain validation fails.
    pub fn add_from_der(&mut self, der: Vec<u8>) -> Result<()> {
        self.add_and_validate(der)?;
        Ok(())
    }

    /// Returns [extensions][Extensions] present in the last certificate in the chain (leaf).
    ///
    /// # Errors
    ///
    /// Returns an error if DER parsing of the last certificate fails, if there are no certificates in the chain or no extensions.
    pub fn leaf_extensions(&self) -> Result<Extensions> {
        let leaf = self.cert_chain.last().ok_or(Error::CertificateMissing)?;
        let leaf = X509Certificate::from_der(&leaf.contents)?.1;
        let ext = leaf.extensions_map()?;
        Ok(Extensions(
            ext.into_iter()
                .map(|(k, v)| (k.to_string(), v.value.to_vec()))
                .collect(),
        ))
    }
}

macro_rules! check_eq {
    ($actual:expr, $expected:expr, $descr:tt) => {
        match (&$actual, &$expected, &$descr) {
            (actual, expected, descr) => {
                if actual != expected {
                    return Err(Error::UnexpectedFieldValue {
                        field: (*descr).into(),
                        expected: (*expected).to_string(),
                        actual: (*actual).to_string(),
                    });
                }
            }
        }
    };
}

/// Represents certificate extensions.
#[derive(Debug)]
pub struct Extensions(HashMap<String, Vec<u8>>);

impl Extensions {
    /// Return inner object holding a map from stringified OIDs to their raw values.
    #[must_use]
    pub fn into_inner(self) -> HashMap<String, Vec<u8>> {
        self.0
    }

    /// Return a value of the extension if it is present or an error otherwise.
    ///
    /// # Errors
    ///
    /// If the value for given `oid` is missing this function returns [`Error::OidMissing`].
    pub fn get(&self, oid: &str) -> Result<&[u8]> {
        self.0
            .get(oid)
            .map(|v| &v[..])
            .ok_or_else(|| Error::OidMissing { oid: oid.into() })
    }

    /// Returns an attestation object specific to YubiHSM.
    ///
    /// # Errors
    ///
    /// If the value for given `oid` is missing this function returns [`Error::OidMissing`].
    /// If field values have unexpected values [`Error::UnexpectedFieldValue`] is returned.
    pub fn to_yubihsm_attestation(&self) -> Result<YubiHsmAttestation> {
        let firmware_version = self.get("1.3.6.1.4.1.41482.4.1")?;
        check_eq!(firmware_version[0], 4, "octet string");
        check_eq!(firmware_version[1], 3, "length");
        let firmware_version = (
            firmware_version[2],
            firmware_version[3],
            firmware_version[4],
        );

        let serial_number = self.get("1.3.6.1.4.1.41482.4.2")?;
        check_eq!(serial_number[0], 2, "integer");
        check_eq!(serial_number[1], 4, "length");
        let mut sn: [u8; 4] = [0; 4];
        sn.copy_from_slice(&serial_number[2..6]);
        let serial_number = u32::from_be_bytes(sn);

        let origin = self.get("1.3.6.1.4.1.41482.4.3")?;
        check_eq!(origin[0], 3, "bit string");
        check_eq!(origin[1], 2, "length");
        check_eq!(origin[2], 0, "padding");
        let origin = origin[3];

        let domains = self.get("1.3.6.1.4.1.41482.4.4")?;
        check_eq!(domains[0], 3, "bit string");
        check_eq!(domains[1], 3, "length");
        check_eq!(domains[2], 0, "padding");
        let domains = u16::from_be_bytes([domains[3], domains[4]]);

        let capabilities = self.get("1.3.6.1.4.1.41482.4.5")?;
        check_eq!(capabilities[0], 3, "bit string");
        check_eq!(capabilities[1], 9, "length");
        check_eq!(capabilities[2], 0, "padding");
        let mut caps = [0; 8];
        caps.copy_from_slice(&capabilities[3..]);

        let object_id = self.get("1.3.6.1.4.1.41482.4.6")?;
        check_eq!(object_id[0], 2, "integer");
        check_eq!(object_id[1], 1, "length");
        let object_id = u16::from_be_bytes([0, object_id[2]]);

        let label = self.get("1.3.6.1.4.1.41482.4.9")?;
        check_eq!(label[0], 12, "utf-8 string");
        let label = String::from_utf8_lossy(&label[2..]).into_owned();

        Ok(YubiHsmAttestation {
            firmware_version,
            serial_number,
            origin,
            domains,
            capabilities: caps,
            object_id,
            label,
        })
    }
}

/// YubiHSM specific attestation values.
///
/// See [Core Concepts: Attestation](https://docs.yubico.com/hardware/yubihsm-2/hsm-2-user-guide/hsm2-core-concepts.html#attestation) for more details.
#[non_exhaustive]
#[derive(Debug)]
pub struct YubiHsmAttestation {
    /// Firmware version.
    pub firmware_version: (u8, u8, u8),

    /// YubiHSM serial number.
    pub serial_number: u32,

    /// Key origin.
    ///
    /// See [Core Concepts: Origin](https://docs.yubico.com/hardware/yubihsm-2/hsm-2-user-guide/hsm2-core-concepts.html#origin) for more details.
    pub origin: u8,

    /// Key domain.
    ///
    /// See [Core Concepts: Domains](https://docs.yubico.com/hardware/yubihsm-2/hsm-2-user-guide/hsm2-core-concepts.html#domains) for more details.
    pub domains: u16,

    /// Key capability bits.
    ///
    /// See [Core Concepts: Capabilities](https://docs.yubico.com/hardware/yubihsm-2/hsm-2-user-guide/hsm2-core-concepts.html#capabilities) for more details.
    pub capabilities: [u8; 8],

    /// Object ID for which the attestation has been issued.
    ///
    /// See [Core Concepts: Object ID](https://docs.yubico.com/hardware/yubihsm-2/hsm-2-user-guide/hsm2-core-concepts.html#object-id) for more details.
    pub object_id: u16,

    /// Object label as a UTF-8 string.
    ///
    /// See [Core Concepts: Label](https://docs.yubico.com/hardware/yubihsm-2/hsm-2-user-guide/hsm2-core-concepts.html#label) for more details.
    pub label: String,
}

#[cfg(test)]
mod tests {
    use std::fs::File;

    use testresult::TestResult;

    use super::*;

    #[test]
    fn test_sample_chain() -> TestResult {
        let mut validator = Validator::default();
        validator.add_from_pem(File::open("yubihsm2-attest-ca-crt-pem")?)?;
        validator.add_from_pem(File::open("intermediate-pem")?)?;

        let binding = std::fs::read("attestation-cert.cer")?;
        validator.add_from_der(binding)?;

        validator.add_from_pem(File::open("attestation-pem")?)?;

        Ok(())
    }

    #[test]
    fn test_broken_chain() -> TestResult {
        let mut validator = Validator::default();
        validator.add_from_pem(File::open("yubihsm2-attest-ca-crt-pem")?)?;
        validator.add_from_pem(File::open("intermediate-pem")?)?;

        // device attestation cert is missing so the next line should fail

        let result = validator.add_from_pem(File::open("attestation-pem")?);
        assert!(result.is_err());

        Ok(())
    }

    #[test]
    fn test_leaf_extensions() -> TestResult {
        let mut validator = Validator::default();

        validator.add_from_pem(File::open("attestation-pem")?)?;
        // https://docs.yubico.com/hardware/yubihsm-2/hsm-2-user-guide/hsm2-core-concepts.html#certificate-extensions
        let extensions = validator.leaf_extensions()?.into_inner();
        assert_eq!(extensions["1.3.6.1.4.1.41482.4.1"], vec![4, 3, 2, 4, 1]);
        assert_eq!(
            extensions["1.3.6.1.4.1.41482.4.2"],
            vec![2, 4, 2, 11, 217, 253]
        );
        assert_eq!(extensions["1.3.6.1.4.1.41482.4.3"], vec![3, 2, 0, 1]);
        assert_eq!(extensions["1.3.6.1.4.1.41482.4.4"], vec![3, 3, 0, 0, 1]);
        assert_eq!(
            extensions["1.3.6.1.4.1.41482.4.5"],
            vec![3, 9, 0, 0, 0, 0, 0, 0, 0, 1, 0]
        );
        assert_eq!(extensions["1.3.6.1.4.1.41482.4.6"], vec![2, 1, 3]);
        assert_eq!(extensions["1.3.6.1.4.1.41482.4.9"], vec![12, 0]);

        Ok(())
    }

    #[test]
    fn test_yubihsm_attestation_extensions() -> TestResult {
        let mut validator = Validator::default();

        validator.add_from_pem(File::open("attestation-pem")?)?;

        let attestation = validator.leaf_extensions()?.to_yubihsm_attestation()?;
        assert_eq!(attestation.firmware_version, (2, 4, 1));
        assert_eq!(attestation.serial_number, 34_331_133);
        assert_eq!(attestation.origin, 0x01);
        assert_eq!(attestation.domains, 0x00_01);
        assert_eq!(attestation.capabilities, [0, 0, 0, 0, 0, 0, 1, 0]);
        assert_eq!(attestation.object_id, 0x03);
        assert_eq!(attestation.label, "");

        Ok(())
    }

    #[test]
    fn test_yubihsm_attestation_extensions_fail() -> TestResult {
        let mut validator = Validator::default();

        validator.add_from_pem(File::open("intermediate-pem")?)?;

        let attestation = validator.leaf_extensions()?.to_yubihsm_attestation();

        let Err(e) = attestation else {
            panic!("Parsing succeeded but should fail");
        };

        let Error::OidMissing { oid } = e else {
            panic!("The error should indicate OidMissing but was: {e:?}");
        };

        assert_eq!(oid, "1.3.6.1.4.1.41482.4.1");

        Ok(())
    }
}