polyproto/certs/capabilities/

mod.rs

// This Source Code Form is subject to the terms of the Mozilla Public
// License, v. 2.0. If a copy of the MPL was not distributed with this
// file, You can obtain one at https://mozilla.org/MPL/2.0/.

/// "basicConstraints" IdCert/Csr capabilities
pub mod basic_constraints;
/// "keyUsage" IdCert/Csr capabilities
pub mod key_usage;

pub use basic_constraints::*;
pub use key_usage::*;
use x509_cert::{
    attr::{Attribute, Attributes},
    ext::{Extension, Extensions},
};

use crate::errors::{CertificateConversionError, InvalidInput};

/// Object Identifier for the KeyUsage::DigitalSignature variant.
pub const OID_KEY_USAGE_DIGITAL_SIGNATURE: &str = "1.3.6.1.5.5.7.3.3";
/// Object Identifier for the KeyUsage::CrlSign variant.
pub const OID_KEY_USAGE_CRL_SIGN: &str = "1.3.6.1.5.5.7.3.2";
/// Object Identifier for the KeyUsage::ContentCommitment variant.
pub const OID_KEY_USAGE_CONTENT_COMMITMENT: &str = "1.3.6.1.5.5.7.3.8";
/// Object Identifier for the KeyUsage::KeyEncipherment variant.
pub const OID_KEY_USAGE_KEY_ENCIPHERMENT: &str = "1.3.6.1.5.5.7.3.1";
/// Object Identifier for the KeyUsage::DataEncipherment variant.
pub const OID_KEY_USAGE_DATA_ENCIPHERMENT: &str = "1.3.6.1.5.5.7.3.4";
/// Object Identifier for the KeyUsage::KeyAgreement variant.
pub const OID_KEY_USAGE_KEY_AGREEMENT: &str = "1.3.6.1.5.5.7.3.9";
/// Object Identifier for the KeyUsage::KeyCertSign variant.
pub const OID_KEY_USAGE_KEY_CERT_SIGN: &str = "1.3.6.1.5.5.7.3.3";
/// Object Identifier for the KeyUsage::EncipherOnly variant.
pub const OID_KEY_USAGE_ENCIPHER_ONLY: &str = "1.3.6.1.5.5.7.3.7";
/// Object Identifier for the KeyUsage::DecipherOnly variant.
pub const OID_KEY_USAGE_DECIPHER_ONLY: &str = "1.3.6.1.5.5.7.3.6";
/// Object Identifier for the BasicConstraints variant.
pub const OID_BASIC_CONSTRAINTS: &str = "2.5.29.19";
/// Object Identifier for the KeyUsage flag.
pub const OID_KEY_USAGE: &str = "2.5.29.15";

#[derive(Debug, Clone, PartialEq, Eq, PartialOrd, Ord, Hash)]
/// An abstraction over X.509 Extensions and PKCS#10 Attributes, representing
/// the capabilities of a certificate. Capabilities can be converted from and to
/// both [Attributes] and [Extensions].
///
/// This struct only covers the Attributes/Extensions currently relevant to
/// polyproto.
pub struct Capabilities {
    /// The key usage extension defines the purpose of the key contained in the
    /// certificate.
    pub key_usage: KeyUsages,
    /// Extension type that defines whether a given certificate is allowed
    /// to sign additional certificates and what path length restrictions may
    /// exist.
    pub basic_constraints: BasicConstraints,
}

impl Default for Capabilities {
    fn default() -> Self {
        Self {
            key_usage: Default::default(),
            basic_constraints: BasicConstraints { ca: false, path_length: None },
        }
    }
}

impl Capabilities {
    /// Sane default for actor ID-CSR/ID-Cert [`Capabilities`]. Uses the
    /// `DigitalSignature` flag, not the `ContentCommitment` flag.
    #[must_use]
    pub fn default_actor() -> Self {
        let key_usage = KeyUsages::new(&[KeyUsage::DigitalSignature]);
        let basic_constraints = BasicConstraints { ca: false, path_length: None };
        Self { key_usage, basic_constraints }
    }

    /// Sane default for home server ID-CSR/ID-Cert [`Capabilities`].
    #[must_use]
    pub fn default_home_server() -> Self {
        let key_usage = KeyUsages::new(&[KeyUsage::KeyCertSign]);
        let basic_constraints = BasicConstraints { ca: true, path_length: Some(1) };
        Self { key_usage, basic_constraints }
    }

    /// Validates that these capabilities are well-formed according to X.509 and
    /// polyproto constraints. This validation is target-independent.
    ///
    /// ## Errors
    ///
    /// Returns a [crate::errors::ConstraintError] if the capabilities are
    /// malformed.
    pub fn validate(&self) -> Result<(), crate::errors::ConstraintError> {
        let is_ca = self.basic_constraints.ca;

        let mut can_commit_content = false;
        let mut can_sign = false;
        let mut key_cert_sign = false;
        let mut has_only_encipher = false;
        let mut has_only_decipher = false;
        let mut has_key_agreement = false;

        for item in self.key_usage.key_usages.iter() {
            if !has_only_encipher && item == &KeyUsage::EncipherOnly {
                has_only_encipher = true;
            }
            if !has_only_decipher && item == &KeyUsage::DecipherOnly {
                has_only_decipher = true;
            }
            if !has_key_agreement && item == &KeyUsage::KeyAgreement {
                has_key_agreement = true;
            }
            if item == &KeyUsage::ContentCommitment {
                can_commit_content = true;
            }
            if item == &KeyUsage::DigitalSignature {
                can_sign = true;
            }
            if item == &KeyUsage::KeyCertSign {
                key_cert_sign = true;
            }
        }

        // Non-CAs must be able to sign their messages
        if !is_ca && !can_sign && !can_commit_content {
            return Err(crate::errors::ConstraintError::Malformed(Some(
                crate::errors::ERR_MSG_ACTOR_MISSING_SIGNING_CAPS.to_owned(),
            )));
        }

        // Cannot have both signing and non-repudiation
        if can_sign && can_commit_content {
            return Err(crate::errors::ConstraintError::Malformed(Some(
                "Cannot have both signing and non-repudiation signing capabilities".to_owned(),
            )));
        }

        // CA <-> KeyCertSign correlation
        if is_ca || key_cert_sign {
            if !is_ca {
                return Err(crate::errors::ConstraintError::Malformed(Some(
                    "If KeyCertSign capability is wanted, CA flag must be true".to_owned(),
                )));
            }
            if !key_cert_sign {
                return Err(crate::errors::ConstraintError::Malformed(Some(format!(
                    "{} Missing capability \"KeyCertSign\"",
                    crate::errors::ERR_MSG_HOME_SERVER_MISSING_CA_ATTR
                ))));
            }
        }

        // KeyAgreement required for EncipherOnly/DecipherOnly
        if (has_only_encipher || has_only_decipher) && !has_key_agreement {
            Err(crate::errors::ConstraintError::Malformed(Some(
                "KeyAgreement capability needs to be true to use OnlyEncipher or OnlyDecipher"
                    .to_owned(),
            )))
        } else {
            Ok(())
        }
    }

    /// Validates that these capabilities are correct for an **actor**
    /// certificate.
    ///
    /// In addition to the base validation, this checks:
    /// - The `CA` flag must be `false`
    /// - Must have `DigitalSignature` or `ContentCommitment`
    /// - Must not have `KeyCertSign`
    ///
    /// ## Errors
    ///
    /// Returns a [crate::errors::ConstraintError] if the capabilities are
    /// not valid for an actor.
    pub fn validate_for_actor(&self) -> Result<(), crate::errors::ConstraintError> {
        self.validate()?;
        if self.basic_constraints.ca {
            return Err(crate::errors::ConstraintError::Malformed(Some(
                crate::errors::ERR_MSG_ACTOR_CANNOT_BE_CA.to_owned(),
            )));
        }
        Ok(())
    }

    /// Validates that these capabilities are correct for a **home server**
    /// certificate.
    ///
    /// In addition to the base validation, this checks:
    /// - The `CA` flag must be `true`
    /// - Must have `KeyCertSign`
    ///
    /// ## Errors
    ///
    /// Returns a [crate::errors::ConstraintError] if the capabilities are
    /// not valid for a home server.
    pub fn validate_for_home_server(&self) -> Result<(), crate::errors::ConstraintError> {
        self.validate()?;
        if !self.basic_constraints.ca {
            return Err(crate::errors::ConstraintError::Malformed(Some(
                crate::errors::ERR_MSG_HOME_SERVER_MISSING_CA_ATTR.to_owned(),
            )));
        }
        Ok(())
    }
}

impl TryFrom<Attributes> for Capabilities {
    type Error = CertificateConversionError;

    /// Performs the conversion.
    ///
    /// Fails if the [BasicConstraints] or [KeyUsage]s are malformed. The
    /// constraints returned by this method are not guaranteed to be valid.
    /// You should call `validate()` on the result to ensure that the
    /// constraints are valid according to the X.509 standard and the polyproto
    /// specification.
    fn try_from(value: Attributes) -> Result<Self, Self::Error> {
        let mut key_usages = KeyUsages::new(&[]);
        let mut basic_constraints = BasicConstraints::default();
        let mut num_basic_constraints = 0u8;
        for item in value.iter() {
            match item.oid.to_string().as_str() {
                #[allow(unreachable_patterns)] // cargo thinks the below pattern is unreachable.
                OID_KEY_USAGE => {
                    key_usages = KeyUsages::try_from(item.clone())?;
                }
                OID_BASIC_CONSTRAINTS => {
                    num_basic_constraints = num_basic_constraints.saturating_add(1);
                    if num_basic_constraints > 1 {
                        return Err(CertificateConversionError::InvalidInput(InvalidInput::Malformed("Tried inserting > 1 BasicConstraints into Capabilities. Expected 1 BasicConstraints".to_owned())));
                    }
                    basic_constraints = BasicConstraints::try_from(item.clone())?;
                }
                _ => (),
            }
        }
        Ok(Self { key_usage: key_usages, basic_constraints })
    }
}

impl TryFrom<Capabilities> for Attributes {
    type Error = CertificateConversionError;

    /// Performs the conversion.
    ///
    /// Fails, if `Capabilities::validate()` fails.
    fn try_from(value: Capabilities) -> Result<Self, Self::Error> {
        let mut sov = Self::new();
        let insertion = sov.insert(Attribute::try_from(value.key_usage)?);
        if insertion.is_err() {
            return Err(CertificateConversionError::InvalidInput(InvalidInput::Malformed("Tried inserting non-unique element into SetOfVec. You likely have a duplicate value in your Capabilities".to_owned())));
        }
        let insertion = sov.insert(Attribute::try_from(value.basic_constraints)?);
        if insertion.is_err() {
            return Err(CertificateConversionError::InvalidInput(InvalidInput::Malformed("Tried inserting non-unique element into SetOfVec. You likely have a duplicate value in your Capabilities".to_owned())));
        }
        Ok(sov)
    }
}

impl TryFrom<Capabilities> for Extensions {
    type Error = CertificateConversionError;
    /// Performs the conversion.
    ///
    /// try_from does **not** check whether the resulting [Extensions] are
    /// well-formed.
    fn try_from(value: Capabilities) -> Result<Self, Self::Error> {
        // the order is important
        Ok(vec![
            Extension::try_from(value.basic_constraints)?,
            Extension::try_from(value.key_usage)?,
        ])
    }
}

/// Capabilities for an **actor** certificate.
///
/// This newtype wraps [`Capabilities`] and guarantees that the contained
/// capabilities satisfy all actor-specific constraints (non-CA, signing
/// capability present). Use [`ActorCapabilities::try_new`] to construct one
/// from arbitrary [`Capabilities`], or [`ActorCapabilities::default`] for
/// the standard actor defaults.
#[derive(Debug, Clone, PartialEq, Eq, PartialOrd, Ord, Hash)]
pub struct ActorCapabilities(pub(crate) Capabilities);

impl ActorCapabilities {
    /// Creates actor capabilities from key usages.
    ///
    /// CA flag is always `false` for actors, and `path_length` is always
    /// `None`.
    ///
    /// ## Errors
    ///
    /// Returns a [`crate::errors::ConstraintError`] if the capabilities are
    /// not valid for an actor (e.g. signing capability missing).
    pub fn try_new(key_usages: KeyUsages) -> Result<Self, crate::errors::ConstraintError> {
        let caps = Capabilities {
            key_usage: key_usages,
            basic_constraints: BasicConstraints { ca: false, path_length: None },
        };
        caps.validate_for_actor()?;
        Ok(Self(caps))
    }
}

impl Default for ActorCapabilities {
    fn default() -> Self {
        Self(Capabilities::default_actor())
    }
}

impl std::ops::Deref for ActorCapabilities {
    type Target = Capabilities;

    fn deref(&self) -> &Self::Target {
        &self.0
    }
}

impl From<ActorCapabilities> for Capabilities {
    fn from(value: ActorCapabilities) -> Self {
        value.0
    }
}

impl TryFrom<Capabilities> for ActorCapabilities {
    type Error = crate::errors::ConstraintError;

    fn try_from(value: Capabilities) -> Result<Self, Self::Error> {
        Self::try_new(value.key_usage)
    }
}

/// Capabilities for a **home server** certificate.
///
/// This newtype wraps [`Capabilities`] and guarantees that the contained
/// capabilities satisfy all home-server-specific constraints (CA flag set,
/// `KeyCertSign` present). Use [`HomeServerCapabilities::try_new`] to
/// construct one from arbitrary [`Capabilities`], or
/// [`HomeServerCapabilities::default`] for the standard home server defaults.
#[derive(Debug, Clone, PartialEq, Eq, PartialOrd, Ord, Hash)]
pub struct HomeServerCapabilities(pub Capabilities);

impl HomeServerCapabilities {
    /// Creates home server capabilities from key usages and path length.
    ///
    /// CA flag is always `true` for home servers. The `path_length` parameter
    /// controls the maximum certification path length.
    ///
    /// ## Errors
    ///
    /// Returns a [`crate::errors::ConstraintError`] if the capabilities are
    /// not valid for a home server (e.g. `KeyCertSign` missing).
    pub fn try_new(
        key_usages: KeyUsages,
        path_length: Option<u64>,
    ) -> Result<Self, crate::errors::ConstraintError> {
        let caps = Capabilities {
            key_usage: key_usages,
            basic_constraints: BasicConstraints { ca: true, path_length },
        };
        caps.validate_for_home_server()?;
        Ok(Self(caps))
    }
}

impl Default for HomeServerCapabilities {
    fn default() -> Self {
        Self(Capabilities::default_home_server())
    }
}

impl std::ops::Deref for HomeServerCapabilities {
    type Target = Capabilities;

    fn deref(&self) -> &Self::Target {
        &self.0
    }
}

impl From<HomeServerCapabilities> for Capabilities {
    fn from(value: HomeServerCapabilities) -> Self {
        value.0
    }
}

impl TryFrom<Capabilities> for HomeServerCapabilities {
    type Error = crate::errors::ConstraintError;

    fn try_from(value: Capabilities) -> Result<Self, Self::Error> {
        Self::try_new(value.key_usage, value.basic_constraints.path_length)
    }
}

impl TryFrom<Extensions> for Capabilities {
    type Error = CertificateConversionError;

    /// Performs the conversion.
    ///
    /// try_from does **not** check whether the resulting [Capabilities] are
    /// well-formed. If this property is critical, use the
    /// `Capabilities::validate()` method to verify the well-formedness of
    /// these resulting [Capabilities].
    fn try_from(value: Extensions) -> Result<Self, Self::Error> {
        let mut basic_constraints: BasicConstraints = BasicConstraints::default();
        let mut key_usage: KeyUsages = KeyUsages::default();
        for item in value.iter() {
            #[allow(unreachable_patterns)] // cargo thinks that we have an unreachable pattern here
            match item.extn_id.to_string().as_str() {
                OID_BASIC_CONSTRAINTS => {
                    basic_constraints = BasicConstraints::try_from(item.clone())?
                }
                OID_KEY_USAGE => key_usage = KeyUsages::try_from(item.clone())?,
                _ => {
                    return Err(CertificateConversionError::InvalidInput(InvalidInput::Malformed(
                        format!(
                            "Invalid OID found for converting this set of Extensions to Capabilities: {} is not a valid OID for BasicConstraints or KeyUsages",
                            item.extn_id
                        ),
                    )));
                }
            };
        }
        Ok(Capabilities { key_usage, basic_constraints })
    }
}

#[cfg(test)]
#[allow(clippy::unwrap_used)]
mod test {
    use spki::ObjectIdentifier;

    use super::*;

    #[cfg_attr(target_arch = "wasm32", wasm_bindgen_test::wasm_bindgen_test)]
    #[cfg_attr(not(target_arch = "wasm32"), test)]
    fn test_basic_constraints_to_object_identifier() {
        let bc = BasicConstraints { ca: true, path_length: None };
        let _ = ObjectIdentifier::from(bc);
    }

    #[cfg_attr(target_arch = "wasm32", wasm_bindgen_test::wasm_bindgen_test)]
    #[cfg_attr(not(target_arch = "wasm32"), test)]
    fn test_basic_constraints_to_attribute() {
        let mut bc = BasicConstraints { ca: false, path_length: None };
        let _ = Attribute::try_from(bc).expect("Should not fail in test");

        bc.ca = true;
        let _ = Attribute::try_from(bc).expect("Should not fail in test");

        bc.path_length = Some(0);
        let _ = Attribute::try_from(bc).expect("Should not fail in test");

        // Why not test all sorts of values? :3
        let mut county_count = 2u64;
        while county_count != u64::MAX {
            bc.path_length = Some(county_count);
            let _ = Attribute::try_from(bc).expect("Should not fail in test");
            if let Some(res) = county_count.checked_mul(2) {
                county_count = res;
            } else {
                county_count = u64::MAX;
            }
        }
    }
}

#[cfg(test)]
#[allow(clippy::unwrap_used)]
mod test_key_usage_from_attribute {
    use std::str::FromStr;

    use der::{Any, Tag, asn1::SetOfVec};
    use spki::ObjectIdentifier;

    use super::*;

    #[cfg_attr(target_arch = "wasm32", wasm_bindgen_test::wasm_bindgen_test)]
    #[cfg_attr(not(target_arch = "wasm32"), test)]
    fn test_key_usage_tag_mismatch() {
        let mut sov = SetOfVec::new();
        sov.insert(Any::new(Tag::Integer, vec![0x00]).expect("Should not fail in test"))
            .expect("Should not fail in test");
        let attribute = Attribute {
            oid: ObjectIdentifier::from_str(OID_KEY_USAGE_CONTENT_COMMITMENT)
                .expect("Should not fail in test"),
            values: sov,
        };
        let result = KeyUsages::try_from(attribute);
        assert!(result.is_err());
    }

    #[cfg_attr(target_arch = "wasm32", wasm_bindgen_test::wasm_bindgen_test)]
    #[cfg_attr(not(target_arch = "wasm32"), test)]
    fn test_key_usage_wrong_oid() {
        let mut sov = SetOfVec::new();
        sov.insert(Any::new(Tag::Boolean, vec![0x00]).expect("Should not fail in test"))
            .expect("Should not fail in test");
        let attribute = Attribute {
            oid: ObjectIdentifier::from_str("1.2.4.2.1.1.1.1.1.1.1.1.1.1.161.69")
                .expect("Should not fail in test"),
            values: sov,
        };
        let result = KeyUsages::try_from(attribute);
        assert!(result.is_err());
    }

    #[cfg_attr(target_arch = "wasm32", wasm_bindgen_test::wasm_bindgen_test)]
    #[cfg_attr(not(target_arch = "wasm32"), test)]
    fn test_key_usage_from_attribute_weird_bool_value() {
        let mut sov = SetOfVec::new();
        sov.insert(Any::new(Tag::Boolean, vec![0x02]).expect("Should not fail in test"))
            .expect("Should not fail in test");
        let attribute = Attribute {
            oid: ObjectIdentifier::from_str(OID_KEY_USAGE_CONTENT_COMMITMENT)
                .expect("Should not fail in test"),
            values: sov,
        };
        let result = KeyUsages::try_from(attribute);
        assert!(result.is_err());
    }
}

#[cfg(test)]
#[allow(clippy::unwrap_used)]
mod test_basic_constraints_from_attribute {
    use std::str::FromStr;

    use der::{
        Any, Tag,
        asn1::{Ia5String, SetOfVec},
    };
    use spki::ObjectIdentifier;

    use super::*;

    #[cfg_attr(target_arch = "wasm32", wasm_bindgen_test::wasm_bindgen_test)]
    #[cfg_attr(not(target_arch = "wasm32"), test)]
    fn test_basic_constraints_from_attribute() {
        let bc = BasicConstraints { ca: true, path_length: Some(0) };
        let attribute = Attribute::try_from(bc).expect("Should not fail in test");
        let result = BasicConstraints::try_from(attribute);
        assert!(result.is_ok());
    }

    #[cfg_attr(target_arch = "wasm32", wasm_bindgen_test::wasm_bindgen_test)]
    #[cfg_attr(not(target_arch = "wasm32"), test)]
    fn test_basic_constraints_wrong_value_type() {
        let mut sov = SetOfVec::new();
        sov.insert(
            Any::new(
                Tag::Ia5String,
                Ia5String::new("hello").expect("Should not fail in test").as_bytes(),
            )
            .expect("Should not fail in test"),
        )
        .expect("Should not fail in test");
        let attribute = Attribute {
            oid: ObjectIdentifier::from_str(OID_BASIC_CONSTRAINTS)
                .expect("Should not fail in test"),
            values: sov,
        };
        let result = BasicConstraints::try_from(attribute);
        assert!(result.is_err());
    }

    #[cfg_attr(target_arch = "wasm32", wasm_bindgen_test::wasm_bindgen_test)]
    #[cfg_attr(not(target_arch = "wasm32"), test)]
    fn test_basic_constraints_wrong_oid() {
        let bc = BasicConstraints { ca: true, path_length: Some(0) };
        let mut attribute = Attribute::try_from(bc).expect("Should not fail in test");
        attribute.oid =
            ObjectIdentifier::from_str("0.0.161.80085").expect("Should not fail in test");
        let result = BasicConstraints::try_from(attribute);
        assert!(result.is_err());
    }

    #[cfg_attr(target_arch = "wasm32", wasm_bindgen_test::wasm_bindgen_test)]
    #[cfg_attr(not(target_arch = "wasm32"), test)]
    fn test_basic_constraints_from_attribute_too_many_bools_or_ints() {
        let mut sov = SetOfVec::new();
        sov.insert(Any::new(Tag::Boolean, vec![0x00]).expect("Should not fail in test"))
            .expect("Should not fail in test");
        sov.insert(Any::new(Tag::Boolean, vec![0x01]).expect("Should not fail in test"))
            .expect("Should not fail in test");
        let attribute = Attribute {
            oid: ObjectIdentifier::from_str(OID_BASIC_CONSTRAINTS)
                .expect("Should not fail in test"),
            values: sov,
        };
        let result = BasicConstraints::try_from(attribute);
        assert!(result.is_err());

        let mut sov = SetOfVec::new();
        sov.insert(Any::new(Tag::Integer, vec![0x00]).expect("Should not fail in test"))
            .expect("Should not fail in test");
        sov.insert(Any::new(Tag::Integer, vec![0x01]).expect("Should not fail in test"))
            .expect("Should not fail in test");
        let attribute = Attribute {
            oid: ObjectIdentifier::from_str(OID_BASIC_CONSTRAINTS)
                .expect("Should not fail in test"),
            values: sov,
        };
        let result = BasicConstraints::try_from(attribute);
        assert!(result.is_err());
    }

    #[cfg_attr(target_arch = "wasm32", wasm_bindgen_test::wasm_bindgen_test)]
    #[cfg_attr(not(target_arch = "wasm32"), test)]
    fn test_basic_constraints_from_attribute_weird_bool_value() {
        let mut sov = SetOfVec::new();
        sov.insert(Any::new(Tag::Boolean, vec![0x02]).expect("Should not fail in test"))
            .expect("Should not fail in test");
        let attribute = Attribute {
            oid: ObjectIdentifier::from_str(OID_BASIC_CONSTRAINTS)
                .expect("Should not fail in test"),
            values: sov,
        };
        let result = BasicConstraints::try_from(attribute);
        assert!(result.is_err());
    }
}