1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123
/* Copyright (c) Fortanix, Inc.
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
//! PKIMessage type
use bit_vec::BitVec;
use yasna::{ASN1Result, BERDecodable, BERReader, DERWriter, Tag};
use crate::{x509::GenericCertificate, DerWrite};
use super::{body::PkiBody, header::PkiHeader};
derive_sequence! {
/// The `PKIMessage` type is defined in [RFC 4210 Section 5.1].
///
/// ```text
/// PKIMessage ::= SEQUENCE {
/// header PKIHeader,
/// body PKIBody,
/// protection [0] PKIProtection OPTIONAL,
/// extraCerts [1] SEQUENCE SIZE (1..MAX) OF CMPCertificate
/// OPTIONAL }
/// ```
///
/// [RFC 4210 Section 5.1]: https://datatracker.ietf.org/doc/html/rfc4210#section-5.1
///
/// Tags are EXPLICIT TAG in default according to [rfc4210#appendix-F](https://datatracker.ietf.org/doc/html/rfc4210#appendix-F).
PkiMessage<'a> {
header: [_] UNTAGGED REQUIRED: PkiHeader<'a>,
body: [_] UNTAGGED REQUIRED: PkiBody,
protection: [0] EXPLICIT OPTIONAL: Option<PkiProtection>,
extra_certs: [1] EXPLICIT OPTIONAL: Option<CmpCertificates>,
}
}
/// The `PKIProtection` type is defined in [RFC 4210 Section 5.1.3].
///
/// ```text
/// PKIProtection ::= BIT STRING
/// ```
///
/// [RFC 4210 Section 5.1.3]: https://www.rfc-editor.org/rfc/rfc4210#section-5.1.3
pub type PkiProtection = BitVec;
/// The `CMPCertificate` type is defined in [RFC 4210 Appendix F]
///
/// ```text
/// CMPCertificate ::= CHOICE { x509v3PKCert Certificate, ... }
/// ```
///
/// [RFC 4210 Appendix F]: https://www.rfc-editor.org/rfc/rfc4210#appendix-F
pub type CmpCertificate = GenericCertificate;
derive_sequence_of!{
/// Represents: SEQUENCE SIZE (1..MAX) OF CMPCertificate
CmpCertificate => CmpCertificates
}
derive_sequence! {
/// The `ProtectedPart` type is defined in [RFC 4210 Section 5.1.3].
///
/// ```text
/// ProtectedPart ::= SEQUENCE {
/// header PKIHeader,
/// body PKIBody }
/// ```
///
/// [RFC 4210 Section 5.1.3]: https://www.rfc-editor.org/rfc/rfc4210#section-5.1.3
ProtectedPart<'a> {
header: PkiHeader<'a>,
body: PkiBody,
}
}
#[cfg(test)]
mod test {
use crate::{FromDer, ToDer};
use b64_ct::{FromBase64, ToBase64, STANDARD};
use super::*;
#[test]
fn test_ftx_pki_msg_decode_encode() {
let pki_msg_base64 = include_str!("../../tests/data/ftx_test_pki_msg.b64");
check_pki_msg_decode_encode(pki_msg_base64);
}
/// Test encode/decode PKIMessage generated from openssl.
/// Test data is generated from following command using openssl version 3.X:
/// ```bash
/// openssl genrsa 2048 > subjectkey.pem
/// openssl req -x509 -days 3650 -new -newkey rsa:2048 -keyout senderkey.pem -subj /CN=sender -out sendercert.pem -nodes
/// openssl cmp -cmd cr -reqout cr.der -newkey subjectkey.pem -subject "/CN=subject" -certout /dev/null -rspin /dev/null -recipient "/CN=recipient" -key senderkey.pem -cert sendercert.pem -extracerts sendercert.pem
/// base64 < cr.der
/// ```
#[test]
fn test_openssl_pki_msg_decode_encode() {
let pki_msg_base64 = include_str!("../../tests/data/openssl_pki_msg.b64");
check_pki_msg_decode_encode(pki_msg_base64);
}
fn check_pki_msg_decode_encode(pki_msg_base64: &str) {
let pki_msg_data = pki_msg_base64.trim().from_base64().expect("base64 decode test pki msg");
// decode from source
let pki_msg = PkiMessage::from_der(&pki_msg_data).expect("DER decode test pki msg");
// re-encode
let pki_msg_back_to_der = pki_msg.to_der();
// re-encoded DER should be equal to source
assert!(
pki_msg_data == pki_msg_back_to_der,
"{}",
pki_msg_back_to_der.to_base64(STANDARD)
);
// re-decoded object should be equal to previous decoded object
let pki_msg2 = PkiMessage::from_der(&pki_msg_back_to_der).expect("DER decode re-encoded pki msg");
assert_eq!(pki_msg, pki_msg2);
}
}