use der::{Decode, Encode};
use x509_cert::Certificate;
const MILAN_ARK_DER: &[u8] = include_bytes!("ark_roots/milan.der");
const GENOA_ARK_DER: &[u8] = include_bytes!("ark_roots/genoa.der");
const TURIN_ARK_DER: &[u8] = include_bytes!("ark_roots/turin.der");
pub const AMD_ARK_ROOTS: [&[u8]; 3] = [TURIN_ARK_DER, GENOA_ARK_DER, MILAN_ARK_DER];
fn spki_der(cert_der: &[u8]) -> Option<Vec<u8>> {
let cert = Certificate::from_der(cert_der).ok()?;
cert.tbs_certificate.subject_public_key_info.to_der().ok()
}
pub fn is_trusted_ark(ark_der: &[u8]) -> bool {
let Some(candidate) = spki_der(ark_der) else {
return false;
};
AMD_ARK_ROOTS
.iter()
.filter_map(|root| spki_der(root))
.any(|root_spki| root_spki == candidate)
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn embedded_roots_parse_and_are_self_signed() {
for (name, der) in [
("turin", TURIN_ARK_DER),
("genoa", GENOA_ARK_DER),
("milan", MILAN_ARK_DER),
] {
let cert = Certificate::from_der(der)
.unwrap_or_else(|e| panic!("{name} ARK must be valid DER: {e}"));
assert_eq!(
cert.tbs_certificate.issuer, cert.tbs_certificate.subject,
"{name} ARK must be self-signed (issuer == subject)"
);
}
}
#[test]
fn genuine_roots_are_trusted() {
for der in AMD_ARK_ROOTS {
assert!(
is_trusted_ark(der),
"an embedded genuine ARK must be trusted"
);
}
}
#[test]
fn empty_and_garbage_are_not_trusted() {
assert!(!is_trusted_ark(&[]));
assert!(!is_trusted_ark(&[0x30, 0x00]));
assert!(!is_trusted_ark(b"not a certificate"));
}
}