c2pa 0.82.0

Rust SDK for C2PA (Coalition for Content Provenance and Authenticity) implementors
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95

// Copyright 2022 Adobe. All rights reserved.
// This file is licensed to you under the Apache License,
// Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
// or the MIT license (http://opensource.org/licenses/MIT),
// at your option.

// Unless required by applicable law or agreed to in writing,
// this software is distributed on an "AS IS" BASIS, WITHOUT
// WARRANTIES OR REPRESENTATIONS OF ANY KIND, either express or
// implied. See the LICENSE-MIT and LICENSE-APACHE files for the
// specific language governing permissions and limitations under
// each license.

use openssl::{
    stack::Stack,
    x509::{verify::X509VerifyFlags, X509StoreContext, X509},
};

use crate::crypto::{
    cose::{CertificateTrustError, CertificateTrustPolicy, TrustAnchorType},
    raw_signature::openssl::OpenSslMutex,
};

pub(crate) fn check_certificate_trust(
    ctp: &CertificateTrustPolicy,
    chain_der: &[Vec<u8>],
    cert_der: &[u8],
    signing_time_epoch: Option<i64>,
) -> Result<TrustAnchorType, CertificateTrustError> {
    let _openssl = OpenSslMutex::acquire()?;

    if ctp.trust_anchor_ders().count() == 0 && ctp.user_trust_anchor_ders().count() == 0 {
        return Err(CertificateTrustError::CertificateNotTrusted);
    }

    let mut cert_chain = Stack::new()?;
    for cert_der in chain_der {
        let x509_cert = X509::from_der(cert_der)?;
        cert_chain.push(x509_cert)?;
    }

    let cert = X509::from_der(cert_der)?;

    let mut builder = openssl::x509::store::X509StoreBuilder::new()?;
    builder.set_flags(X509VerifyFlags::X509_STRICT)?;

    let mut verify_param = openssl::x509::verify::X509VerifyParam::new()?;
    verify_param.set_flags(X509VerifyFlags::X509_STRICT)?;
    verify_param.set_flags(X509VerifyFlags::PARTIAL_CHAIN)?; // allow intermediates to be on anchor list

    if let Some(st) = signing_time_epoch {
        verify_param.set_time(st);
    } else {
        verify_param.set_flags(X509VerifyFlags::NO_CHECK_TIME)?;
    }

    builder.set_param(&verify_param)?;

    // add trust anchors.
    for der in ctp.trust_anchor_ders() {
        let root_cert = X509::from_der(der)?;
        builder.add_cert(root_cert)?;
    }

    let store = builder.build();

    // try system trust anchors
    let mut store_ctx = X509StoreContext::new()?;
    if store_ctx.init(&store, cert.as_ref(), &cert_chain, |f| f.verify_cert())? {
        Ok(TrustAnchorType::System)
    } else if !ctp.trust_anchors_only() {
        // try the user trust anchors
        let mut builder = openssl::x509::store::X509StoreBuilder::new()?;
        builder.set_flags(X509VerifyFlags::X509_STRICT)?;

        builder.set_param(&verify_param)?;

        // add user trust anchors.
        for der in ctp.user_trust_anchor_ders() {
            let root_cert = X509::from_der(der)?;
            builder.add_cert(root_cert)?;
        }

        let store = builder.build();

        let mut store_ctx = X509StoreContext::new()?;
        if store_ctx.init(&store, cert.as_ref(), &cert_chain, |f| f.verify_cert())? {
            Ok(TrustAnchorType::User)
        } else {
            Err(CertificateTrustError::CertificateNotTrusted)
        }
    } else {
        Err(CertificateTrustError::CertificateNotTrusted)
    }
}