clia_rustls_mod/webpki/
mod.rs

1#[cfg(feature = "std")]
2use alloc::sync::Arc;
3use alloc::vec::Vec;
4use core::fmt;
5
6use pki_types::CertificateRevocationListDer;
7use webpki::{CertRevocationList, OwnedCertRevocationList};
8
9use crate::error::{CertRevocationListError, CertificateError, Error, OtherError};
10
11mod anchors;
12mod client_verifier;
13mod server_verifier;
14mod verify;
15
16pub use anchors::RootCertStore;
17pub use client_verifier::{ClientCertVerifierBuilder, WebPkiClientVerifier};
18pub use server_verifier::{ServerCertVerifierBuilder, WebPkiServerVerifier};
19// Conditionally exported from crate.
20#[allow(unreachable_pub)]
21pub use verify::{
22    verify_server_cert_signed_by_trust_anchor, verify_server_name, ParsedCertificate,
23};
24pub use verify::{verify_tls12_signature, verify_tls13_signature, WebPkiSupportedAlgorithms};
25
26/// An error that can occur when building a certificate verifier.
27#[derive(Debug, Clone)]
28#[non_exhaustive]
29pub enum VerifierBuilderError {
30    /// No root trust anchors were provided.
31    NoRootAnchors,
32    /// A provided CRL could not be parsed.
33    InvalidCrl(CertRevocationListError),
34}
35
36impl From<CertRevocationListError> for VerifierBuilderError {
37    fn from(value: CertRevocationListError) -> Self {
38        Self::InvalidCrl(value)
39    }
40}
41
42impl fmt::Display for VerifierBuilderError {
43    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
44        match self {
45            Self::NoRootAnchors => write!(f, "no root trust anchors were provided"),
46            Self::InvalidCrl(e) => write!(f, "provided CRL could not be parsed: {:?}", e),
47        }
48    }
49}
50
51#[cfg(feature = "std")]
52impl std::error::Error for VerifierBuilderError {}
53
54fn pki_error(error: webpki::Error) -> Error {
55    use webpki::Error::*;
56    match error {
57        BadDer | BadDerTime | TrailingData(_) => CertificateError::BadEncoding.into(),
58        CertNotValidYet => CertificateError::NotValidYet.into(),
59        CertExpired | InvalidCertValidity => CertificateError::Expired.into(),
60        UnknownIssuer => CertificateError::UnknownIssuer.into(),
61        CertNotValidForName => CertificateError::NotValidForName.into(),
62        CertRevoked => CertificateError::Revoked.into(),
63        UnknownRevocationStatus => CertificateError::UnknownRevocationStatus.into(),
64        IssuerNotCrlSigner => CertRevocationListError::IssuerInvalidForCrl.into(),
65
66        InvalidSignatureForPublicKey
67        | UnsupportedSignatureAlgorithm
68        | UnsupportedSignatureAlgorithmForPublicKey => CertificateError::BadSignature.into(),
69
70        InvalidCrlSignatureForPublicKey
71        | UnsupportedCrlSignatureAlgorithm
72        | UnsupportedCrlSignatureAlgorithmForPublicKey => {
73            CertRevocationListError::BadSignature.into()
74        }
75
76        _ => CertificateError::Other(OtherError(
77            #[cfg(feature = "std")]
78            Arc::new(error),
79        ))
80        .into(),
81    }
82}
83
84fn crl_error(e: webpki::Error) -> CertRevocationListError {
85    use webpki::Error::*;
86    match e {
87        InvalidCrlSignatureForPublicKey
88        | UnsupportedCrlSignatureAlgorithm
89        | UnsupportedCrlSignatureAlgorithmForPublicKey => CertRevocationListError::BadSignature,
90        InvalidCrlNumber => CertRevocationListError::InvalidCrlNumber,
91        InvalidSerialNumber => CertRevocationListError::InvalidRevokedCertSerialNumber,
92        IssuerNotCrlSigner => CertRevocationListError::IssuerInvalidForCrl,
93        MalformedExtensions | BadDer | BadDerTime => CertRevocationListError::ParseError,
94        UnsupportedCriticalExtension => CertRevocationListError::UnsupportedCriticalExtension,
95        UnsupportedCrlVersion => CertRevocationListError::UnsupportedCrlVersion,
96        UnsupportedDeltaCrl => CertRevocationListError::UnsupportedDeltaCrl,
97        UnsupportedIndirectCrl => CertRevocationListError::UnsupportedIndirectCrl,
98        UnsupportedRevocationReason => CertRevocationListError::UnsupportedRevocationReason,
99
100        _ => CertRevocationListError::Other(OtherError(
101            #[cfg(feature = "std")]
102            Arc::new(e),
103        )),
104    }
105}
106
107fn parse_crls(
108    crls: Vec<CertificateRevocationListDer<'_>>,
109) -> Result<Vec<CertRevocationList<'_>>, CertRevocationListError> {
110    crls.iter()
111        .map(|der| OwnedCertRevocationList::from_der(der.as_ref()).map(Into::into))
112        .collect::<Result<Vec<_>, _>>()
113        .map_err(crl_error)
114}
115
116mod tests {
117    #[test]
118    fn pki_crl_errors() {
119        use super::{pki_error, CertRevocationListError, CertificateError, Error};
120
121        // CRL signature errors should be turned into BadSignature.
122        assert_eq!(
123            pki_error(webpki::Error::InvalidCrlSignatureForPublicKey),
124            Error::InvalidCertRevocationList(CertRevocationListError::BadSignature),
125        );
126        assert_eq!(
127            pki_error(webpki::Error::UnsupportedCrlSignatureAlgorithm),
128            Error::InvalidCertRevocationList(CertRevocationListError::BadSignature),
129        );
130        assert_eq!(
131            pki_error(webpki::Error::UnsupportedCrlSignatureAlgorithmForPublicKey),
132            Error::InvalidCertRevocationList(CertRevocationListError::BadSignature),
133        );
134
135        // Revoked cert errors should be turned into Revoked.
136        assert_eq!(
137            pki_error(webpki::Error::CertRevoked),
138            Error::InvalidCertificate(CertificateError::Revoked),
139        );
140
141        // Issuer not CRL signer errors should be turned into IssuerInvalidForCrl
142        assert_eq!(
143            pki_error(webpki::Error::IssuerNotCrlSigner),
144            Error::InvalidCertRevocationList(CertRevocationListError::IssuerInvalidForCrl)
145        );
146    }
147
148    #[test]
149    fn crl_error_from_webpki() {
150        use super::crl_error;
151        use super::CertRevocationListError::*;
152
153        let testcases = &[
154            (webpki::Error::InvalidCrlSignatureForPublicKey, BadSignature),
155            (
156                webpki::Error::UnsupportedCrlSignatureAlgorithm,
157                BadSignature,
158            ),
159            (
160                webpki::Error::UnsupportedCrlSignatureAlgorithmForPublicKey,
161                BadSignature,
162            ),
163            (webpki::Error::InvalidCrlNumber, InvalidCrlNumber),
164            (
165                webpki::Error::InvalidSerialNumber,
166                InvalidRevokedCertSerialNumber,
167            ),
168            (webpki::Error::IssuerNotCrlSigner, IssuerInvalidForCrl),
169            (webpki::Error::MalformedExtensions, ParseError),
170            (webpki::Error::BadDer, ParseError),
171            (webpki::Error::BadDerTime, ParseError),
172            (
173                webpki::Error::UnsupportedCriticalExtension,
174                UnsupportedCriticalExtension,
175            ),
176            (webpki::Error::UnsupportedCrlVersion, UnsupportedCrlVersion),
177            (webpki::Error::UnsupportedDeltaCrl, UnsupportedDeltaCrl),
178            (
179                webpki::Error::UnsupportedIndirectCrl,
180                UnsupportedIndirectCrl,
181            ),
182            (
183                webpki::Error::UnsupportedRevocationReason,
184                UnsupportedRevocationReason,
185            ),
186        ];
187        for t in testcases {
188            assert_eq!(crl_error(t.0), t.1);
189        }
190
191        assert!(matches!(
192            crl_error(webpki::Error::NameConstraintViolation),
193            Other(..)
194        ));
195    }
196}