polyproto/types/

pdn.rs

// This Source Code Form is subject to the terms of the Mozilla Public
// License, v. 2.0. If a copy of the MPL was not distributed with this
// file, You can obtain one at https://mozilla.org/MPL/2.0/.

use std::hash::Hash;

use spki::ObjectIdentifier;
use x509_cert::attr::AttributeTypeAndValue;
use x509_cert::name::{RdnSequence, RelativeDistinguishedName};

use crate::errors::{ConstraintError, InvalidInput};
use crate::types::SessionId;
use crate::types::local_name::LocalName;
use crate::types::{DomainName, FederationId};
use crate::{
    Constrained, OID_RDN_COMMON_NAME, OID_RDN_DOMAIN_COMPONENT, OID_RDN_UID,
    OID_RDN_UNIQUE_IDENTIFIER,
};

/// Higher-level abstraction of X.509 [distinguished names](https://ldap.com/ldap-dns-and-rdns/),
/// providing easier access to inner values compared to using [x509_cert::name::Name] in a raw manner.
#[derive(Debug, Clone, PartialEq, Eq, Hash)]
pub enum PolyprotoDistinguishedName {
    /// A `pDN` with all necessary fields for an actor.
    ActorDn(ActorDN),
    /// A `pDN` with all necessary fields for a home server.
    HomeServerDn(HomeServerDN),
}

impl PolyprotoDistinguishedName {
    /// Regardless of whether the `PolyprotoDistinguishedName` is a [ActorDN] or a [HomeServerDN],
    /// get a reference to the [DomainName] of the issuing authority for this `PolyprotoDistinguishedName`.
    /// This is–in either case–the `domain_name` attribute of the specific `DN`.
    ///
    /// This method is just a shorthand for
    ///
    /// ```rs
    /// match self {
    ///    PolyprotoDistinguishedName::ActorDn(actor_dn) => actor_dn.domain_name,
    ///    PolyprotoDistinguishedName::HomeServerDn(home_server_dn) => home_server_dn.domain_name,
    /// }
    /// ```
    pub fn issuer_name(&self) -> &DomainName {
        match self {
            PolyprotoDistinguishedName::ActorDn(actor_dn) => &actor_dn.domain_name,
            PolyprotoDistinguishedName::HomeServerDn(home_server_dn) => &home_server_dn.domain_name,
        }
    }
}

impl From<ActorDN> for PolyprotoDistinguishedName {
    fn from(value: ActorDN) -> Self {
        Self::ActorDn(value)
    }
}

impl From<HomeServerDN> for PolyprotoDistinguishedName {
    fn from(value: HomeServerDN) -> Self {
        Self::HomeServerDn(value)
    }
}

impl TryFrom<RdnSequence> for PolyprotoDistinguishedName {
    type Error = crate::errors::InvalidInput;

    fn try_from(value: RdnSequence) -> Result<Self, Self::Error> {
        // Let's see if we can find a FederationId component, then we do the conversion based on
        // whether we were successful.
        if value
            .0
            .iter()
            .any(|rdn| rdn.0.iter().any(|attr| attr.oid == OID_RDN_UID))
        {
            Ok(Self::ActorDn(ActorDN::try_from(value)?))
        } else {
            Ok(Self::HomeServerDn(HomeServerDN::try_from(value)?))
        }
    }
}

#[derive(Debug, Clone, PartialEq, Eq)]
/// A [PolyprotoDistinguishedName] with all necessary fields for an actor certificate.
///
/// This struct is a higher-level abstraction of X.509 [distinguished names](https://ldap.com/ldap-dns-and-rdns/),
/// providing easier access to inner values compared to using [x509_cert::name::Name] in a raw manner.
pub struct ActorDN {
    /// The [FederationId] field claim of this Distinguished Name.
    pub federation_id: FederationId,
    /// The [LocalName] field claim of this Distinguished Name.
    pub local_name: LocalName,
    /// The [DomainName] field claim of this Distinguished Name, representing the instance this actor claims to be belonging to.
    pub domain_name: DomainName,
    /// The [SessionId] field claim of this Distinguished Name.
    pub session_id: SessionId,
    /// Additional claims in this Distinguished Name, if any.
    pub additional_fields: RelativeDistinguishedName,
}

impl ActorDN {
    /// Creates a new validated [ActorDN] with all necessary fields for an actor certificate.
    ///
    /// This constructor method creates an [ActorDN] instance and validates it against the
    /// [Actor] target to ensure it meets all polyproto constraints for actor certificates.
    ///
    /// # Parameters
    ///
    /// - `federation_id`: The [FederationId] field claim for this Distinguished Name
    /// - `local_name`: The [LocalName] field claim for this Distinguished Name  
    /// - `domain_name`: The [DomainName] field claim representing the instance this actor belongs to
    /// - `session_id`: The [SessionId] field claim for this Distinguished Name
    /// - `additional_fields`: Optional additional claims in this Distinguished Name
    ///
    /// # Returns
    ///
    /// - `Ok(ActorDN)` if the constructed DN passes validation
    /// - `Err(ConstraintError)` if the DN violates any polyproto constraints for actor certificates
    ///
    /// # Errors
    ///
    /// This method returns a [ConstraintError] if the constructed [ActorDN] fails validation
    /// against the [Actor] target. Common validation failures include malformed field values
    /// or constraint violations specific to actor certificates.
    pub fn new_validated(
        federation_id: FederationId,
        local_name: LocalName,
        domain_name: DomainName,
        session_id: SessionId,
        additional_fields: Option<RelativeDistinguishedName>,
    ) -> Result<Self, ConstraintError> {
        let actor_dn = ActorDN {
            federation_id,
            local_name,
            domain_name,
            session_id,
            additional_fields: additional_fields.unwrap_or_default(),
        };
        actor_dn.validate(Some(crate::certs::Target::Actor))?;
        Ok(actor_dn)
    }
}

impl Hash for ActorDN {
    fn hash<H: std::hash::Hasher>(&self, state: &mut H) {
        self.federation_id.hash(state);
        self.domain_name.hash(state);
        self.session_id.hash(state);
        self.additional_fields.0.iter().for_each(|item| {
            item.oid.hash(state);
            item.value.value().hash(state);
        });
    }
}

#[derive(Debug, Clone, PartialEq, Eq)]
/// A [PolyprotoDistinguishedName] with all necessary fields for a home server certificate.
///
/// This struct is a higher-level abstraction of X.509 [distinguished names](https://ldap.com/ldap-dns-and-rdns/),
/// providing easier access to inner values compared to using [x509_cert::name::Name] in a raw manner.
pub struct HomeServerDN {
    /// The [DomainName] field claim of this Distinguished Name, representing the domain this instance claims to represent.
    pub domain_name: DomainName,
    /// Additional claims in this Distinguished Name, if any.
    pub additional_fields: RelativeDistinguishedName,
}

impl HomeServerDN {
    /// Creates a new validated [HomeServerDN] with all necessary fields for a home server certificate.
    ///
    /// This constructor method creates a [HomeServerDN] instance and validates it against the
    /// [HomeServer] target to ensure it meets all polyproto constraints for home server certificates.
    ///
    /// # Parameters
    ///
    /// - `domain_name`: The [DomainName] field claim representing the domain this instance claims to represent
    /// - `additional_fields`: Optional additional claims in this Distinguished Name
    ///
    /// # Returns
    ///
    /// - `Ok(HomeServerDN)` if the constructed DN passes validation
    /// - `Err(ConstraintError)` if the DN violates any polyproto constraints for home server certificates
    ///
    /// # Errors
    ///
    /// This method returns a [ConstraintError] if the constructed [HomeServerDN] fails validation
    /// against the [HomeServer] target. Common validation failures include malformed field values
    /// or constraint violations specific to home server certificates.
    pub fn new_validated(
        domain_name: DomainName,
        additional_fields: Option<RelativeDistinguishedName>,
    ) -> Result<Self, ConstraintError> {
        let home_server_dn = HomeServerDN {
            domain_name,
            additional_fields: additional_fields.unwrap_or_default(),
        };
        home_server_dn.validate(Some(crate::certs::Target::HomeServer))?;
        Ok(home_server_dn)
    }
}

impl Hash for HomeServerDN {
    fn hash<H: std::hash::Hasher>(&self, state: &mut H) {
        self.domain_name.hash(state);
        self.additional_fields.0.iter().for_each(|item| {
            item.oid.hash(state);
            item.value.value().hash(state);
        });
    }
}

impl TryFrom<RdnSequence> for ActorDN {
    type Error = crate::errors::InvalidInput;

    fn try_from(x509_distinguished_name: RdnSequence) -> Result<Self, Self::Error> {
        check_amount_of_oid_values(
            range::Range::new(1, 125)?,
            &x509_distinguished_name,
            &OID_RDN_DOMAIN_COMPONENT,
        )?;
        check_amount_of_oid_values(
            range::Range::new(1, 1)?,
            &x509_distinguished_name,
            &OID_RDN_COMMON_NAME,
        )?;
        check_amount_of_oid_values(
            range::Range::new(1, 1)?,
            &x509_distinguished_name,
            &OID_RDN_UID,
        )?;
        check_amount_of_oid_values(
            range::Range::new(1, 1)?,
            &x509_distinguished_name,
            &OID_RDN_UNIQUE_IDENTIFIER,
        )?;
        let mut maybe_federation_id: Option<AttributeTypeAndValue> = None;
        let mut maybe_local_name: Option<AttributeTypeAndValue> = None;
        let mut maybe_domain_names: Vec<AttributeTypeAndValue> = Vec::new();
        let mut maybe_session_id: Option<AttributeTypeAndValue> = None;
        let mut maybe_additional_fields: Vec<AttributeTypeAndValue> = Vec::new();
        for relative_distinguished_name in x509_distinguished_name.0.into_iter() {
            for attribute_value_and_item in relative_distinguished_name.0.iter() {
                match attribute_value_and_item.oid {
                    OID_RDN_COMMON_NAME => {
                        make_some_or_error(attribute_value_and_item, &mut maybe_local_name)?
                    }
                    OID_RDN_UID => {
                        make_some_or_error(attribute_value_and_item, &mut maybe_federation_id)?
                    }
                    OID_RDN_UNIQUE_IDENTIFIER => {
                        make_some_or_error(attribute_value_and_item, &mut maybe_session_id)?
                    }
                    OID_RDN_DOMAIN_COMPONENT => {
                        maybe_domain_names.push(attribute_value_and_item.clone())
                    }
                    _other => maybe_additional_fields.push(attribute_value_and_item.clone()),
                }
            }
        }
        let federation_id = FederationId::try_from(match maybe_federation_id {
            Some(fid) => fid,
            None => {
                return Err(crate::errors::InvalidInput::Malformed(String::from(
                    "Expected Federation ID in ActorDN, found none",
                )));
            }
        })?;
        let local_name = LocalName::try_from(match maybe_local_name {
            Some(ln) => ln,
            None => {
                return Err(crate::errors::InvalidInput::Malformed(String::from(
                    "Expected Local Name in ActorDN, found none",
                )));
            }
        })?;
        let domain_name = federation_id.domain_name.clone();
        let session_id = SessionId::try_from(match maybe_session_id {
            Some(s_id) => s_id,
            None => {
                return Err(crate::errors::InvalidInput::Malformed(String::from(
                    "Expected Local Name in ActorDN, found none",
                )));
            }
        })?;
        if domain_name != federation_id.domain_name {
            return Err(InvalidInput::Malformed(format!(
                "The domain name specified by the DC components does not the equal the domain name described in the federation ID: {domain_name} != {}",
                federation_id.domain_name,
            )));
        }
        if local_name != federation_id.local_name {
            return Err(InvalidInput::Malformed(format!(
                "The local name specified by the OID commonName ({OID_RDN_COMMON_NAME}) does not the equal the local name described in the federation ID (OID UID {OID_RDN_UID}): {local_name} != {}",
                federation_id.local_name,
            )));
        }
        Ok(ActorDN {
            federation_id,
            domain_name,
            session_id,
            local_name,
            additional_fields: RelativeDistinguishedName::try_from(maybe_additional_fields).map_err(|e| crate::errors::InvalidInput::Malformed(format!("Could not parse ActorDN additional_fields: Name attribute contained additional information which was not a valid RelativeDistinguishedName: {e}")))?,
        })
    }
}

impl TryFrom<ActorDN> for RdnSequence {
    type Error = InvalidInput;
    fn try_from(value: ActorDN) -> Result<Self, Self::Error> {
        let mut all_rdns = Vec::new();
        
        // Only add additional_fields if it's not empty to avoid extra empty RDNs in DER encoding
        if !value.additional_fields.0.is_empty() {
            all_rdns.push(value.additional_fields);
        }
        
        all_rdns.append(&mut RdnSequence::try_from(value.domain_name)?.0);
        all_rdns.push(RelativeDistinguishedName::try_from(value.federation_id)?);
        all_rdns.push(RelativeDistinguishedName::try_from(value.local_name)?);
        all_rdns.push(RelativeDistinguishedName::try_from(value.session_id)?);
        Ok(RdnSequence(all_rdns))
    }
}

impl TryFrom<RdnSequence> for HomeServerDN {
    type Error = crate::errors::InvalidInput;

    fn try_from(x509_distinguished_name: RdnSequence) -> Result<Self, Self::Error> {
        check_amount_of_oid_values(
            range::Range::new(1, 125)?,
            &x509_distinguished_name,
            &OID_RDN_DOMAIN_COMPONENT,
        )?;
        check_amount_of_oid_values(
            range::Range::new(0, 0)?,
            &x509_distinguished_name,
            &OID_RDN_COMMON_NAME,
        )?;
        check_amount_of_oid_values(
            range::Range::new(0, 0)?,
            &x509_distinguished_name,
            &OID_RDN_UID,
        )?;
        check_amount_of_oid_values(
            range::Range::new(0, 0)?,
            &x509_distinguished_name,
            &OID_RDN_UNIQUE_IDENTIFIER,
        )?;
        let mut maybe_domain_names: Vec<AttributeTypeAndValue> = Vec::new();
        let mut maybe_additional_fields: Vec<AttributeTypeAndValue> = Vec::new();
        for relative_distinguished_name in x509_distinguished_name.0.into_iter() {
            for attribute_value_and_item in relative_distinguished_name.0.iter() {
                match attribute_value_and_item.oid {
                    OID_RDN_DOMAIN_COMPONENT => {
                        maybe_domain_names.push(attribute_value_and_item.clone())
                    }
                    _other => maybe_additional_fields.push(attribute_value_and_item.clone()),
                }
            }
        }

        let domain_name = DomainName::try_from(maybe_domain_names.as_slice())?;

        Ok(HomeServerDN {
            domain_name,
            additional_fields: RelativeDistinguishedName::try_from(maybe_additional_fields).map_err(|e| crate::errors::InvalidInput::Malformed(format!("Could not parse ActorDN additional_fields: Name attribute contained additional information which was not a valid RelativeDistinguishedName: {e}")))?,
        })
    }
}

impl TryFrom<HomeServerDN> for RdnSequence {
    type Error = InvalidInput;

    fn try_from(value: HomeServerDN) -> Result<Self, Self::Error> {
        let mut all_rdns = Vec::new();
        
        // Only add additional_fields if it's not empty to avoid extra empty RDNs in DER encoding
        if !value.additional_fields.0.is_empty() {
            all_rdns.push(value.additional_fields);
        }
        
        all_rdns.append(&mut RdnSequence::try_from(value.domain_name)?.0);
        Ok(RdnSequence(all_rdns))
    }
}

impl TryFrom<PolyprotoDistinguishedName> for RdnSequence {
    type Error = InvalidInput;

    fn try_from(value: PolyprotoDistinguishedName) -> Result<Self, Self::Error> {
        match value {
            PolyprotoDistinguishedName::ActorDn(actor_dn) => Self::try_from(actor_dn),
            PolyprotoDistinguishedName::HomeServerDn(home_server_dn) => {
                Self::try_from(home_server_dn)
            }
        }
    }
}

/// Helper function. Takes an exclusive reference `Option<AttributeTypeAndValue>`, inspects if it
/// holds a value, and
///
/// - Errors appropriately, if it already holds a value
/// - Else, updates the `None` value with the passed `attribute_value_and_item`, then returns `Ok(())`
fn make_some_or_error(
    attribute_value_and_item: &AttributeTypeAndValue,
    value_to_update: &mut Option<AttributeTypeAndValue>,
) -> Result<(), crate::errors::InvalidInput> {
    if value_to_update.is_none() {
        *value_to_update = Some(attribute_value_and_item.clone());
        Ok(())
    } else {
        Err(crate::errors::InvalidInput::Malformed(
            "Found multiple entries for same OID, where only one OID is allowed".to_owned(),
        ))
    }
}

pub(crate) mod range {
    use crate::errors::InvalidInput;

    /// Represents a range of positive (incl. zero (0)) numbers, where `max` is at least as large
    /// as `min`.
    pub(crate) struct Range {
        min: u32,
        max: u32,
    }

    impl Range {
        pub(crate) fn new(min: u32, max: u32) -> Result<Self, InvalidInput> {
            if max < min {
                Err(InvalidInput::Malformed(
                    "min must be equal to or smaller than max!".to_owned(),
                ))
            } else {
                Ok(Self { min, max })
            }
        }

        /// Returns `min` from `Self`.
        pub(crate) fn min(&self) -> u32 {
            self.min
        }

        /// Returns `max` from `Self`.
        pub(crate) fn max(&self) -> u32 {
            self.max
        }
    }
}

/// Validates that the count of attributes with a specific OID falls within the expected range.
///
/// This function counts all occurrences of [AttributeTypeAndValue] entries in the provided
/// [RdnSequence] that match the given [ObjectIdentifier], and ensures the count is within
/// the specified minimum and maximum bounds.
///
/// # Parameters
///
/// - `min_max`: A [Range] specifying the minimum and maximum allowed count of OID occurrences
/// - `value_container`: The [RdnSequence] to search within for matching OID values
/// - `oid`: The [ObjectIdentifier] to search for and count
///
/// # Returns
///
/// - `Ok(())` if the count of matching OID values is within the specified range
/// - `Err(InvalidInput::Length)` if the count is below the minimum or above the maximum.
pub(crate) fn check_amount_of_oid_values(
    min_max: range::Range,
    value_container: &RdnSequence,
    oid: &ObjectIdentifier,
) -> Result<(), InvalidInput> {
    let mut count = 0u32;

    for rdn in value_container.0.iter() {
        for attribute_type_and_value in rdn.0.iter() {
            if attribute_type_and_value.oid == *oid {
                count = count.saturating_add(1);
                if count > min_max.max() {
                    return Err(InvalidInput::Length {
                        min_length: min_max.min() as usize,
                        max_length: min_max.max() as usize,
                        actual_length: count.to_string(),
                    });
                }
            }
        }
    }

    if count < min_max.min() {
        return Err(InvalidInput::Length {
            min_length: min_max.min() as usize,
            max_length: min_max.max() as usize,
            actual_length: count.to_string(),
        });
    }

    Ok(())
}

#[cfg(test)]
#[allow(clippy::expect_used)]
mod tests {
    use super::*;
    use der::Any;
    use x509_cert::ext::pkix::name::DirectoryString;

    /// Helper function to create an AttributeTypeAndValue for testing
    fn create_test_attribute(oid: ObjectIdentifier, value: &str) -> AttributeTypeAndValue {
        let directory_string = DirectoryString::Utf8String(value.to_string());
        AttributeTypeAndValue {
            oid,
            value: Any::encode_from(&directory_string).expect("Valid encoding"),
        }
    }

    /// Helper function to create a simple RdnSequence with specified attributes
    fn create_test_rdn_sequence(attributes: Vec<AttributeTypeAndValue>) -> RdnSequence {
        let rdn = RelativeDistinguishedName::try_from(attributes)
            .expect("Valid RelativeDistinguishedName");
        RdnSequence(vec![rdn])
    }

    /// Helper function to create an RdnSequence with multiple RDNs
    fn create_multi_rdn_sequence(rdn_attributes: Vec<Vec<AttributeTypeAndValue>>) -> RdnSequence {
        let rdns: Vec<RelativeDistinguishedName> = rdn_attributes
            .into_iter()
            .map(|attrs| RelativeDistinguishedName::try_from(attrs).expect("Valid RDN"))
            .collect();
        RdnSequence(rdns)
    }

    #[test]
    fn test_valid_count_scenarios() {
        // Test single occurrence within range [1,3]
        let range = range::Range::new(1, 3).expect("Valid range");
        let attributes = vec![
            create_test_attribute(OID_RDN_COMMON_NAME, "test"),
            create_test_attribute(OID_RDN_DOMAIN_COMPONENT, "example.com"),
        ];
        let rdn_sequence = create_test_rdn_sequence(attributes);
        let result = check_amount_of_oid_values(range, &rdn_sequence, &OID_RDN_COMMON_NAME);
        assert!(
            result.is_ok(),
            "Should succeed with 1 occurrence within range [1,3]"
        );

        // Test multiple occurrences within range [2,4]
        let range = range::Range::new(2, 4).expect("Valid range");
        let attributes = vec![
            create_test_attribute(OID_RDN_COMMON_NAME, "test1"),
            create_test_attribute(OID_RDN_COMMON_NAME, "test2"),
            create_test_attribute(OID_RDN_DOMAIN_COMPONENT, "example.com"),
        ];
        let rdn_sequence = create_test_rdn_sequence(attributes);
        let result = check_amount_of_oid_values(range, &rdn_sequence, &OID_RDN_COMMON_NAME);
        assert!(
            result.is_ok(),
            "Should succeed with 2 occurrences within range [2,4]"
        );
    }

    #[test]
    fn test_boundary_conditions() {
        // Test exactly at minimum boundary (2)
        let range = range::Range::new(2, 5).expect("Valid range");
        let attributes = vec![
            create_test_attribute(OID_RDN_UID, "user1"),
            create_test_attribute(OID_RDN_UID, "user2"),
            create_test_attribute(OID_RDN_DOMAIN_COMPONENT, "example.com"),
        ];
        let rdn_sequence = create_test_rdn_sequence(attributes);
        let result = check_amount_of_oid_values(range, &rdn_sequence, &OID_RDN_UID);
        assert!(
            result.is_ok(),
            "Should succeed with exactly minimum count (2)"
        );

        // Test exactly at maximum boundary (3)
        let range = range::Range::new(1, 3).expect("Valid range");
        let attributes = vec![
            create_test_attribute(OID_RDN_DOMAIN_COMPONENT, "part1"),
            create_test_attribute(OID_RDN_DOMAIN_COMPONENT, "part2"),
            create_test_attribute(OID_RDN_DOMAIN_COMPONENT, "part3"),
            create_test_attribute(OID_RDN_COMMON_NAME, "test"),
        ];
        let rdn_sequence = create_test_rdn_sequence(attributes);
        let result = check_amount_of_oid_values(range, &rdn_sequence, &OID_RDN_DOMAIN_COMPONENT);
        assert!(
            result.is_ok(),
            "Should succeed with exactly maximum count (3)"
        );
    }

    #[test]
    fn test_error_conditions() {
        // Test count below minimum (1 occurrence when minimum is 2)
        let range = range::Range::new(2, 5).expect("Valid range");
        let attributes = vec![
            create_test_attribute(OID_RDN_COMMON_NAME, "test"),
            create_test_attribute(OID_RDN_DOMAIN_COMPONENT, "example.com"),
        ];
        let rdn_sequence = create_test_rdn_sequence(attributes);
        let result = check_amount_of_oid_values(range, &rdn_sequence, &OID_RDN_COMMON_NAME);
        assert!(
            result.is_err(),
            "Should fail with 1 occurrence below minimum (2)"
        );
        if let Err(InvalidInput::Length {
            min_length,
            max_length,
            ..
        }) = result
        {
            assert_eq!(min_length, 2);
            assert_eq!(max_length, 5);
        } else {
            panic!("Expected InvalidInput::Length error");
        }

        // Test count above maximum (3 occurrences when maximum is 2)
        let range = range::Range::new(1, 2).expect("Valid range");
        let attributes = vec![
            create_test_attribute(OID_RDN_UNIQUE_IDENTIFIER, "id1"),
            create_test_attribute(OID_RDN_UNIQUE_IDENTIFIER, "id2"),
            create_test_attribute(OID_RDN_UNIQUE_IDENTIFIER, "id3"),
            create_test_attribute(OID_RDN_COMMON_NAME, "test"),
        ];
        let rdn_sequence = create_test_rdn_sequence(attributes);
        let result = check_amount_of_oid_values(range, &rdn_sequence, &OID_RDN_UNIQUE_IDENTIFIER);
        assert!(
            result.is_err(),
            "Should fail with 3 occurrences above maximum (2)"
        );
        if let Err(InvalidInput::Length {
            min_length,
            max_length,
            ..
        }) = result
        {
            assert_eq!(min_length, 1);
            assert_eq!(max_length, 2);
        } else {
            panic!("Expected InvalidInput::Length error");
        }
    }

    #[test]
    fn test_edge_cases() {
        // Test zero occurrences below minimum (0 when minimum is 1)
        let range = range::Range::new(1, 3).expect("Valid range");
        let attributes = vec![
            create_test_attribute(OID_RDN_COMMON_NAME, "test"),
            create_test_attribute(OID_RDN_DOMAIN_COMPONENT, "example.com"),
        ];
        let rdn_sequence = create_test_rdn_sequence(attributes);
        let result = check_amount_of_oid_values(range, &rdn_sequence, &OID_RDN_UID);
        assert!(
            result.is_err(),
            "Should fail with 0 occurrences below minimum (1)"
        );

        // Test zero occurrences within range [0,2]
        let range = range::Range::new(0, 2).expect("Valid range");
        let result = check_amount_of_oid_values(range, &rdn_sequence, &OID_RDN_UID);
        assert!(
            result.is_ok(),
            "Should succeed with 0 occurrences within range [0,2]"
        );

        // Test empty RdnSequence with minimum 0 (should succeed)
        let range = range::Range::new(0, 1).expect("Valid range");
        let empty_sequence = RdnSequence(vec![]);
        let result = check_amount_of_oid_values(range, &empty_sequence, &OID_RDN_COMMON_NAME);
        assert!(
            result.is_ok(),
            "Should succeed with empty RdnSequence when minimum is 0"
        );

        // Test empty RdnSequence with minimum > 0 (should fail)
        let range = range::Range::new(1, 3).expect("Valid range");
        let result = check_amount_of_oid_values(range, &empty_sequence, &OID_RDN_COMMON_NAME);
        assert!(
            result.is_err(),
            "Should fail with empty RdnSequence when minimum > 0"
        );

        // Test multiple RDNs with target OID (2 occurrences across RDNs)
        let range = range::Range::new(2, 4).expect("Valid range");
        let rdn_attributes = vec![
            vec![
                create_test_attribute(OID_RDN_COMMON_NAME, "test1"),
                create_test_attribute(OID_RDN_DOMAIN_COMPONENT, "part1"),
            ],
            vec![
                create_test_attribute(OID_RDN_COMMON_NAME, "test2"),
                create_test_attribute(OID_RDN_UID, "user"),
            ],
        ];
        let multi_rdn_sequence = create_multi_rdn_sequence(rdn_attributes);
        let result = check_amount_of_oid_values(range, &multi_rdn_sequence, &OID_RDN_COMMON_NAME);
        assert!(
            result.is_ok(),
            "Should succeed with 2 occurrences across multiple RDNs"
        );
    }

    #[test]
    fn test_exact_count_constraints() {
        let range = range::Range::new(1, 1).expect("Valid range");

        // Test exactly 1 occurrence in range [1,1] (should succeed)
        let attributes = vec![create_test_attribute(OID_RDN_COMMON_NAME, "single")];
        let rdn_sequence = create_test_rdn_sequence(attributes);
        let result = check_amount_of_oid_values(range, &rdn_sequence, &OID_RDN_COMMON_NAME);
        assert!(
            result.is_ok(),
            "Should succeed with exactly 1 occurrence in range [1,1]"
        );

        // Test 2 occurrences in range [1,1] (should fail)
        let range = range::Range::new(1, 1).expect("Valid range");
        let attributes = vec![
            create_test_attribute(OID_RDN_COMMON_NAME, "first"),
            create_test_attribute(OID_RDN_COMMON_NAME, "second"),
        ];
        let rdn_sequence = create_test_rdn_sequence(attributes);
        let result = check_amount_of_oid_values(range, &rdn_sequence, &OID_RDN_COMMON_NAME);
        assert!(
            result.is_err(),
            "Should fail with 2 occurrences in range [1,1]"
        );
    }

    mod constrained_tests {
        use super::*;
        use crate::{Constrained, certs::Target};
        use der::asn1::SetOfVec;

        /// Helper to create a valid FederationId
        fn create_valid_federation_id() -> FederationId {
            FederationId::new("alice@example.com").expect("Valid federation ID")
        }

        /// Helper to create a valid LocalName matching the federation ID
        fn create_valid_local_name() -> LocalName {
            LocalName::new("alice").expect("Valid local name")
        }

        /// Helper to create a valid DomainName matching the federation ID
        fn create_valid_domain_name() -> DomainName {
            DomainName::new("example.com").expect("Valid domain name")
        }

        /// Helper to create a valid SessionId
        fn create_valid_session_id() -> SessionId {
            SessionId::new_validated("validSessionId123").expect("Valid session ID")
        }

        /// Helper to create empty additional fields
        fn create_empty_additional_fields() -> RelativeDistinguishedName {
            RelativeDistinguishedName(SetOfVec::new())
        }

        /// Helper to create additional fields with forbidden OIDs
        fn create_forbidden_oid_additional_fields(
            oid: ObjectIdentifier,
        ) -> RelativeDistinguishedName {
            let attr = create_test_attribute(oid, "forbidden");
            RelativeDistinguishedName::try_from(vec![attr]).expect("Valid RDN")
        }

        /// Helper to create a valid ActorDN
        fn create_valid_actor_dn() -> ActorDN {
            ActorDN {
                federation_id: create_valid_federation_id(),
                local_name: create_valid_local_name(),
                domain_name: create_valid_domain_name(),
                session_id: create_valid_session_id(),
                additional_fields: create_empty_additional_fields(),
            }
        }

        /// Helper to create a valid HomeServerDN
        fn create_valid_home_server_dn() -> HomeServerDN {
            HomeServerDN {
                domain_name: create_valid_domain_name(),
                additional_fields: create_empty_additional_fields(),
            }
        }

        #[test]
        fn polyproto_dn_actor_with_actor_target_validates() {
            let actor_dn = create_valid_actor_dn();
            let pdn = PolyprotoDistinguishedName::ActorDn(actor_dn);

            let result = pdn.validate(Some(Target::Actor));
            assert!(result.is_ok(), "ActorDn should validate with Actor target");
        }

        #[test]
        fn polyproto_dn_actor_with_none_target_validates() {
            let actor_dn = create_valid_actor_dn();
            let pdn = PolyprotoDistinguishedName::ActorDn(actor_dn);

            let result = pdn.validate(None);
            assert!(result.is_ok(), "ActorDn should validate with None target");
        }

        #[test]
        fn polyproto_dn_home_server_with_home_server_target_validates() {
            let home_server_dn = create_valid_home_server_dn();
            let pdn = PolyprotoDistinguishedName::HomeServerDn(home_server_dn);

            let result = pdn.validate(Some(Target::HomeServer));
            assert!(
                result.is_ok(),
                "HomeServerDn should validate with HomeServer target"
            );
        }

        #[test]
        fn polyproto_dn_home_server_with_none_target_validates() {
            let home_server_dn = create_valid_home_server_dn();
            let pdn = PolyprotoDistinguishedName::HomeServerDn(home_server_dn);

            let result = pdn.validate(None);
            assert!(
                result.is_ok(),
                "HomeServerDn should validate with None target"
            );
        }

        #[test]
        fn polyproto_dn_actor_with_home_server_target_fails() {
            let actor_dn = create_valid_actor_dn();
            let pdn = PolyprotoDistinguishedName::ActorDn(actor_dn);

            let result = pdn.validate(Some(Target::HomeServer));
            assert!(
                result.is_err(),
                "ActorDn should fail with HomeServer target"
            );

            if let Err(error) = result {
                assert!(
                    error.to_string().contains("malformed"),
                    "Error should mention validation failure"
                );
            }
        }

        #[test]
        fn polyproto_dn_home_server_with_actor_target_fails() {
            let home_server_dn = create_valid_home_server_dn();
            let pdn = PolyprotoDistinguishedName::HomeServerDn(home_server_dn);

            let result = pdn.validate(Some(Target::Actor));
            assert!(
                result.is_err(),
                "HomeServerDn should fail with Actor target"
            );

            if let Err(error) = result {
                assert!(
                    error.to_string().contains("malformed"),
                    "Error should mention validation failure"
                );
            }
        }

        #[test]
        fn actor_dn_valid_components_validates() {
            let actor_dn = create_valid_actor_dn();

            assert!(
                actor_dn.validate(Some(Target::Actor)).is_ok(),
                "Valid ActorDN should validate with Actor target"
            );
            assert!(
                actor_dn.validate(None).is_ok(),
                "Valid ActorDN should validate with None target"
            );
        }

        #[test]
        fn actor_dn_mismatched_domain_name_fails() {
            let federation_id = create_valid_federation_id();
            let local_name = create_valid_local_name();
            let mismatched_domain = DomainName::new("different.com").expect("Valid domain name");
            let session_id = create_valid_session_id();

            let actor_dn = ActorDN {
                federation_id,
                local_name,
                domain_name: mismatched_domain,
                session_id,
                additional_fields: create_empty_additional_fields(),
            };

            let result = actor_dn.validate(None);
            assert!(
                result.is_err(),
                "ActorDN with mismatched domain name should fail"
            );

            if let Err(error) = result {
                let error_str = error.to_string();
                assert!(
                    error_str.contains("malformed"),
                    "Error should mention validation failure: {error_str}"
                );
            }
        }

        #[test]
        fn actor_dn_mismatched_local_name_fails() {
            let federation_id = create_valid_federation_id();
            let mismatched_local_name = LocalName::new("bob").expect("Valid local name");
            let domain_name = create_valid_domain_name();
            let session_id = create_valid_session_id();

            let actor_dn = ActorDN {
                federation_id,
                local_name: mismatched_local_name,
                domain_name,
                session_id,
                additional_fields: create_empty_additional_fields(),
            };

            let result = actor_dn.validate(None);
            assert!(
                result.is_err(),
                "ActorDN with mismatched local name should fail"
            );

            if let Err(error) = result {
                let error_str = error.to_string();
                assert!(
                    error_str.contains("malformed"),
                    "Error should mention validation failure: {error_str}"
                );
            }
        }

        #[test]
        fn actor_dn_forbidden_domain_component_in_additional_fields_fails() {
            let mut actor_dn = create_valid_actor_dn();
            actor_dn.additional_fields =
                create_forbidden_oid_additional_fields(OID_RDN_DOMAIN_COMPONENT);

            let result = actor_dn.validate(Some(Target::Actor));
            assert!(
                result.is_err(),
                "ActorDN with DOMAIN_COMPONENT in additional_fields should fail"
            );
        }

        #[test]
        fn actor_dn_forbidden_common_name_in_additional_fields_fails() {
            let mut actor_dn = create_valid_actor_dn();
            actor_dn.additional_fields =
                create_forbidden_oid_additional_fields(OID_RDN_COMMON_NAME);

            let result = actor_dn.validate(Some(Target::Actor));
            assert!(
                result.is_err(),
                "ActorDN with COMMON_NAME in additional_fields should fail"
            );
        }

        #[test]
        fn actor_dn_forbidden_uid_in_additional_fields_fails() {
            let mut actor_dn = create_valid_actor_dn();
            actor_dn.additional_fields = create_forbidden_oid_additional_fields(OID_RDN_UID);

            let result = actor_dn.validate(Some(Target::Actor));
            assert!(
                result.is_err(),
                "ActorDN with UID in additional_fields should fail"
            );
        }

        #[test]
        fn actor_dn_forbidden_unique_identifier_in_additional_fields_fails() {
            let mut actor_dn = create_valid_actor_dn();
            actor_dn.additional_fields =
                create_forbidden_oid_additional_fields(OID_RDN_UNIQUE_IDENTIFIER);

            let result = actor_dn.validate(Some(Target::Actor));
            assert!(
                result.is_err(),
                "ActorDN with UNIQUE_IDENTIFIER in additional_fields should fail"
            );
        }

        #[test]
        fn actor_dn_multiple_forbidden_oids_in_additional_fields_fails() {
            let forbidden_attrs = vec![
                create_test_attribute(OID_RDN_COMMON_NAME, "forbidden1"),
                create_test_attribute(OID_RDN_UID, "forbidden2"),
            ];
            let forbidden_fields =
                RelativeDistinguishedName::try_from(forbidden_attrs).expect("Valid RDN");

            let mut actor_dn = create_valid_actor_dn();
            actor_dn.additional_fields = forbidden_fields;

            let result = actor_dn.validate(Some(Target::Actor));
            assert!(
                result.is_err(),
                "ActorDN with multiple forbidden OIDs should fail"
            );
        }

        #[test]
        fn actor_dn_allowed_custom_oids_in_additional_fields_validates() {
            let custom_oid = ObjectIdentifier::new_unwrap("1.2.3.4.5");
            let custom_attr = create_test_attribute(custom_oid, "custom_value");
            let custom_fields =
                RelativeDistinguishedName::try_from(vec![custom_attr]).expect("Valid RDN");

            let mut actor_dn = create_valid_actor_dn();
            actor_dn.additional_fields = custom_fields;

            let result = actor_dn.validate(Some(Target::Actor));
            assert!(
                result.is_ok(),
                "ActorDN with custom OIDs in additional_fields should validate"
            );
        }

        #[test]
        fn home_server_dn_valid_components_validates() {
            let home_server_dn = create_valid_home_server_dn();

            assert!(
                home_server_dn.validate(Some(Target::HomeServer)).is_ok(),
                "Valid HomeServerDN should validate with HomeServer target"
            );
            assert!(
                home_server_dn.validate(None).is_ok(),
                "Valid HomeServerDN should validate with None target"
            );
        }

        #[test]
        fn home_server_dn_forbidden_common_name_in_additional_fields_fails() {
            let mut home_server_dn = create_valid_home_server_dn();
            home_server_dn.additional_fields =
                create_forbidden_oid_additional_fields(OID_RDN_COMMON_NAME);

            let result = home_server_dn.validate(Some(Target::HomeServer));
            assert!(
                result.is_err(),
                "HomeServerDN with COMMON_NAME in additional_fields should fail"
            );
        }

        #[test]
        fn home_server_dn_forbidden_uid_in_additional_fields_fails() {
            let mut home_server_dn = create_valid_home_server_dn();
            home_server_dn.additional_fields = create_forbidden_oid_additional_fields(OID_RDN_UID);

            let result = home_server_dn.validate(Some(Target::HomeServer));
            assert!(
                result.is_err(),
                "HomeServerDN with UID in additional_fields should fail"
            );
        }

        #[test]
        fn home_server_dn_forbidden_unique_identifier_in_additional_fields_fails() {
            let mut home_server_dn = create_valid_home_server_dn();
            home_server_dn.additional_fields =
                create_forbidden_oid_additional_fields(OID_RDN_UNIQUE_IDENTIFIER);

            let result = home_server_dn.validate(Some(Target::HomeServer));
            assert!(
                result.is_err(),
                "HomeServerDN with UNIQUE_IDENTIFIER in additional_fields should fail"
            );
        }

        #[test]
        fn home_server_dn_forbidden_domain_component_in_additional_fields_fails() {
            let mut home_server_dn = create_valid_home_server_dn();
            home_server_dn.additional_fields =
                create_forbidden_oid_additional_fields(OID_RDN_DOMAIN_COMPONENT);

            let result = home_server_dn.validate(Some(Target::HomeServer));
            assert!(
                result.is_err(),
                "HomeServerDN with DOMAIN_COMPONENT in additional_fields should fail"
            );
        }

        #[test]
        fn home_server_dn_multiple_forbidden_oids_in_additional_fields_fails() {
            let forbidden_attrs = vec![
                create_test_attribute(OID_RDN_COMMON_NAME, "forbidden1"),
                create_test_attribute(OID_RDN_DOMAIN_COMPONENT, "forbidden2"),
                create_test_attribute(OID_RDN_UID, "forbidden3"),
            ];
            let forbidden_fields =
                RelativeDistinguishedName::try_from(forbidden_attrs).expect("Valid RDN");

            let mut home_server_dn = create_valid_home_server_dn();
            home_server_dn.additional_fields = forbidden_fields;

            let result = home_server_dn.validate(Some(Target::HomeServer));
            assert!(
                result.is_err(),
                "HomeServerDN with multiple forbidden OIDs should fail"
            );
        }

        #[test]
        fn home_server_dn_allowed_custom_oids_in_additional_fields_validates() {
            let custom_oids = vec![
                ObjectIdentifier::new_unwrap("1.2.3.4.5"),
                ObjectIdentifier::new_unwrap("2.5.4.10"), // organizationName
                ObjectIdentifier::new_unwrap("2.5.4.11"), // organizationalUnitName
            ];

            let custom_attrs: Vec<_> = custom_oids
                .into_iter()
                .enumerate()
                .map(|(i, oid)| create_test_attribute(oid, &format!("custom_value_{i}")))
                .collect();

            let custom_fields =
                RelativeDistinguishedName::try_from(custom_attrs).expect("Valid RDN");

            let mut home_server_dn = create_valid_home_server_dn();
            home_server_dn.additional_fields = custom_fields;

            let result = home_server_dn.validate(Some(Target::HomeServer));
            assert!(
                result.is_ok(),
                "HomeServerDN with custom OIDs in additional_fields should validate"
            );
        }

        #[test]
        fn actor_dn_empty_additional_fields_validates() {
            let actor_dn = create_valid_actor_dn();
            // additional_fields is already empty by default

            let result = actor_dn.validate(Some(Target::Actor));
            assert!(
                result.is_ok(),
                "ActorDN with empty additional_fields should validate"
            );
        }

        #[test]
        fn home_server_dn_empty_additional_fields_validates() {
            let home_server_dn = create_valid_home_server_dn();
            // additional_fields is already empty by default

            let result = home_server_dn.validate(Some(Target::HomeServer));
            assert!(
                result.is_ok(),
                "HomeServerDN with empty additional_fields should validate"
            );
        }

        #[test]
        fn actor_dn_new_validated_success() {
            let federation_id = create_valid_federation_id();
            let local_name = create_valid_local_name();
            let domain_name = create_valid_domain_name();
            let session_id = create_valid_session_id();

            let result =
                ActorDN::new_validated(federation_id, local_name, domain_name, session_id, None);

            assert!(
                result.is_ok(),
                "ActorDN::new_validated should succeed with valid components"
            );
        }

        #[test]
        fn actor_dn_new_validated_with_additional_fields_success() {
            let federation_id = create_valid_federation_id();
            let local_name = create_valid_local_name();
            let domain_name = create_valid_domain_name();
            let session_id = create_valid_session_id();
            let custom_oid = ObjectIdentifier::new_unwrap("1.2.3.4.5");
            let custom_attr = create_test_attribute(custom_oid, "custom");
            let additional_fields =
                RelativeDistinguishedName::try_from(vec![custom_attr]).expect("Valid RDN");

            let result = ActorDN::new_validated(
                federation_id,
                local_name,
                domain_name,
                session_id,
                Some(additional_fields),
            );

            assert!(
                result.is_ok(),
                "ActorDN::new_validated should succeed with valid additional fields"
            );
        }

        #[test]
        fn actor_dn_new_validated_mismatched_components_fails() {
            let federation_id = create_valid_federation_id();
            let mismatched_local_name = LocalName::new("bob").expect("Valid local name");
            let domain_name = create_valid_domain_name();
            let session_id = create_valid_session_id();

            let result = ActorDN::new_validated(
                federation_id,
                mismatched_local_name,
                domain_name,
                session_id,
                None,
            );

            assert!(
                result.is_err(),
                "ActorDN::new_validated should fail with mismatched components"
            );
        }

        #[test]
        fn home_server_dn_new_validated_success() {
            let domain_name = create_valid_domain_name();

            let result = HomeServerDN::new_validated(domain_name, None);
            assert!(
                result.is_ok(),
                "HomeServerDN::new_validated should succeed with valid components"
            );
        }

        #[test]
        fn home_server_dn_new_validated_with_additional_fields_success() {
            let domain_name = create_valid_domain_name();
            let custom_oid = ObjectIdentifier::new_unwrap("2.5.4.10"); // organizationName
            let custom_attr = create_test_attribute(custom_oid, "Example Org");
            let additional_fields =
                RelativeDistinguishedName::try_from(vec![custom_attr]).expect("Valid RDN");

            let result = HomeServerDN::new_validated(domain_name, Some(additional_fields));
            assert!(
                result.is_ok(),
                "HomeServerDN::new_validated should succeed with valid additional fields"
            );
        }

        #[test]
        fn home_server_dn_new_validated_forbidden_additional_fields_fails() {
            let domain_name = create_valid_domain_name();
            let forbidden_attr = create_test_attribute(OID_RDN_COMMON_NAME, "forbidden");
            let forbidden_fields =
                RelativeDistinguishedName::try_from(vec![forbidden_attr]).expect("Valid RDN");

            let result = HomeServerDN::new_validated(domain_name, Some(forbidden_fields));
            assert!(
                result.is_err(),
                "HomeServerDN::new_validated should fail with forbidden additional fields"
            );
        }
    }
}