pub struct Cert { /* private fields */ }
Expand description
A raw resource certificate.
A value of this type represents a resource certificate. It can be one of three different variants.
A CA certificate appears in its own file in the repository. Its main use is to sign other certificates.
An EE certificate is used to sign other objects in the repository, such as manifests or ROAs and is included in the file of these objects. In RPKI, EE certificates are used only once. Whenever a new object is created, a new EE certificate is created, signed by its CA, used to sign the object, and then the private key is thrown away.
Finally, TA certificates are the installed trust anchors. These are self-signed.
If a certificate is stored in a file, you can use the decode
function
to parse the entire file. If the certificate is part of some other
structure, the take_from
and from_constructed
functions can be
used during parsing of that structure.
Once parsing succeeded, the three methods validate_ca
,
validate_ee
, and validate_ta
can be used to validate the
certificate and turn it into a ResourceCert
so it can be used for
further processing. In addition, various methods exist to access
information contained in the certificate.
Implementations
sourceimpl Cert
impl Cert
sourcepub fn take_from<S: Source>(
cons: &mut Constructed<'_, S>
) -> Result<Self, S::Err>
pub fn take_from<S: Source>(
cons: &mut Constructed<'_, S>
) -> Result<Self, S::Err>
Takes an encoded certificate from the beginning of a value.
This function assumes that the certificate is encoded in the next
constructed value in cons
tagged as a sequence.
sourcepub fn take_opt_from<S: Source>(
cons: &mut Constructed<'_, S>
) -> Result<Option<Self>, S::Err>
pub fn take_opt_from<S: Source>(
cons: &mut Constructed<'_, S>
) -> Result<Option<Self>, S::Err>
Takes an optional certificate from the beginning of a value.
sourcepub fn from_constructed<S: Source>(
cons: &mut Constructed<'_, S>
) -> Result<Self, S::Err>
pub fn from_constructed<S: Source>(
cons: &mut Constructed<'_, S>
) -> Result<Self, S::Err>
Parses the content of a Certificate sequence.
sourcepub fn encode_ref(&self) -> impl Values + '_
pub fn encode_ref(&self) -> impl Values + '_
Returns a value encoder for a reference to the certificate.
sourcepub fn to_captured(&self) -> Captured
pub fn to_captured(&self) -> Captured
Returns a captured encoding of the certificate.
sourceimpl Cert
impl Cert
Validation
When validating a certificate, two properties are checked: whether the certificate’s structure and content comply with the specification for resource certificates laid out in [RFC 6487] and whether the certificate has been correctly issued by its CA.
In some cases it is useful to perform these two steps separately. Therefore, methods are available both for each step and for doing both steps at once. Since we need to name these consistently, we devised the following convention:
The first step that validates compliance with the specification is called inspection. Methods are available to inspect different kinds of certificates. They all have the verb inspect in their name. Only the certificate itself is necessary to perform inspection.
The second step checking whether the certificate was correctly issued is called verification. Methods are available to verify different kinds of certificates. They all have the verb verify in their name and, in most cases, require access to the issuer certificate.
In addition, methods are available to perform both steps at once for different kinds of certificates. These all have validate in their name.
sourcepub fn validate_ta(
self,
tal: Arc<TalInfo>,
strict: bool
) -> Result<ResourceCert, ValidationError>
pub fn validate_ta(
self,
tal: Arc<TalInfo>,
strict: bool
) -> Result<ResourceCert, ValidationError>
Validates the certificate as a trust anchor.
This validates that the certificate “is a current, self-signed RPKI CA certificate that conforms to the profile as specified in RFC6487” (RFC7730, section 3, step 2).
pub fn validate_ta_at(
self,
tal: Arc<TalInfo>,
strict: bool,
now: Time
) -> Result<ResourceCert, ValidationError>
sourcepub fn validate_ca(
self,
issuer: &ResourceCert,
strict: bool
) -> Result<ResourceCert, ValidationError>
pub fn validate_ca(
self,
issuer: &ResourceCert,
strict: bool
) -> Result<ResourceCert, ValidationError>
Validates the certificate as a CA certificate.
For validation to succeed, the certificate needs to have been signed
by the provided issuer
certificate.
Note that this does not check the CRL.
pub fn validate_ca_at(
self,
issuer: &ResourceCert,
strict: bool,
now: Time
) -> Result<ResourceCert, ValidationError>
sourcepub fn validate_ee(
self,
issuer: &ResourceCert,
strict: bool
) -> Result<ResourceCert, ValidationError>
pub fn validate_ee(
self,
issuer: &ResourceCert,
strict: bool
) -> Result<ResourceCert, ValidationError>
Validates the certificate as an EE RPKI-internal certificate.
For validation to succeed, the certificate needs to have been signed
by the provided issuer
certificate.
Note that this does not check the CRL.
Note further that this method should not be used for router
certificates. Use validate_router
for that.
pub fn validate_ee_at(
self,
issuer: &ResourceCert,
strict: bool,
now: Time
) -> Result<ResourceCert, ValidationError>
pub fn validate_detached_ee(
self,
issuer: &ResourceCert,
strict: bool
) -> Result<ResourceCert, ValidationError>
pub fn validate_detached_ee_at(
self,
issuer: &ResourceCert,
strict: bool,
now: Time
) -> Result<ResourceCert, ValidationError>
pub fn validate_router(
&self,
issuer: &ResourceCert,
strict: bool
) -> Result<(), ValidationError>
pub fn validate_router_at(
&self,
issuer: &ResourceCert,
strict: bool,
now: Time
) -> Result<(), ValidationError>
pub fn inspect_ta(&self, strict: bool) -> Result<(), ValidationError>
pub fn inspect_ta_at(
&self,
strict: bool,
now: Time
) -> Result<(), ValidationError>
pub fn inspect_ca(&self, strict: bool) -> Result<(), ValidationError>
pub fn inspect_ca_at(
&self,
strict: bool,
now: Time
) -> Result<(), ValidationError>
pub fn inspect_ee(&self, strict: bool) -> Result<(), ValidationError>
pub fn inspect_ee_at(
&self,
strict: bool,
now: Time
) -> Result<(), ValidationError>
pub fn inspect_detached_ee(&self, strict: bool) -> Result<(), ValidationError>
pub fn inspect_detached_ee_at(
&self,
strict: bool,
now: Time
) -> Result<(), ValidationError>
pub fn inspect_router(&self, strict: bool) -> Result<(), ValidationError>
pub fn inspect_router_at(
&self,
strict: bool,
now: Time
) -> Result<(), ValidationError>
pub fn verify_ta(
self,
tal: Arc<TalInfo>,
_strict: bool
) -> Result<ResourceCert, ValidationError>
pub fn verify_ta_ref(&self, _strict: bool) -> Result<(), ValidationError>
pub fn verify_ca(
self,
issuer: &ResourceCert,
strict: bool
) -> Result<ResourceCert, ValidationError>
pub fn verify_ee(
self,
issuer: &ResourceCert,
strict: bool
) -> Result<ResourceCert, ValidationError>
pub fn verify_router(
&self,
issuer: &ResourceCert,
strict: bool
) -> Result<(), ValidationError>
sourcepub fn verify_issuer_claim(
&self,
issuer: &ResourceCert,
_strict: bool
) -> Result<(), ValidationError>
pub fn verify_issuer_claim(
&self,
issuer: &ResourceCert,
_strict: bool
) -> Result<(), ValidationError>
Verifies that the certificate claims to have been issued by issuer
.
This is only the first part of verification. You must call
verified_signature
, too.
sourcepub fn verify_signature(
&self,
issuer: &Cert,
_strict: bool
) -> Result<(), ValidationError>
pub fn verify_signature(
&self,
issuer: &Cert,
_strict: bool
) -> Result<(), ValidationError>
Validates the certificate’s signature.
Methods from Deref<Target = TbsCert>
sourcepub fn serial_number(&self) -> Serial
pub fn serial_number(&self) -> Serial
Returns the serial number of the certificate.
sourcepub fn subject_public_key_info(&self) -> &PublicKey
pub fn subject_public_key_info(&self) -> &PublicKey
Returns a reference to the public key.
sourcepub fn basic_ca(&self) -> Option<bool>
pub fn basic_ca(&self) -> Option<bool>
Returns the cA field of the basic constraints extension if present.
sourcepub fn subject_key_identifier(&self) -> KeyIdentifier
pub fn subject_key_identifier(&self) -> KeyIdentifier
Returns a reference to the subject key identifier.
There is no method to set this extension as this happens automatically
when the subject public key is set via set_subject_public_key
.
Returns a reference to the authority key identifier if present.
sourcepub fn extended_key_usage(&self) -> Option<&Captured>
pub fn extended_key_usage(&self) -> Option<&Captured>
Returns a reference to the extended key usage if present.
Since this field isn’t allowed in any certificate used for RPKI objects directly, we do not currently support setting this field.
sourcepub fn crl_uri(&self) -> Option<&Rsync>
pub fn crl_uri(&self) -> Option<&Rsync>
Returns a reference to the certificate’s CRL distribution point.
sourcepub fn ca_issuer(&self) -> Option<&Rsync>
pub fn ca_issuer(&self) -> Option<&Rsync>
Returns a reference to caIssuer AIA rsync URI if present.
sourcepub fn ca_repository(&self) -> Option<&Rsync>
pub fn ca_repository(&self) -> Option<&Rsync>
Returns a reference to the caRepository SIA rsync URI if present.
sourcepub fn rpki_manifest(&self) -> Option<&Rsync>
pub fn rpki_manifest(&self) -> Option<&Rsync>
Returns a reference to the rpkiManifest SIA rsync URI if present.
sourcepub fn signed_object(&self) -> Option<&Rsync>
pub fn signed_object(&self) -> Option<&Rsync>
Returns a reference to the signedObject SIA rsync URI if present.
sourcepub fn rpki_notify(&self) -> Option<&Https>
pub fn rpki_notify(&self) -> Option<&Https>
Returns a reference to the rpkiNotify SIA HTTPS URI if present.
sourcepub fn v4_resources(&self) -> &IpResources
pub fn v4_resources(&self) -> &IpResources
Returns a reference to the IPv4 address resources if present.
sourcepub fn v6_resources(&self) -> &IpResources
pub fn v6_resources(&self) -> &IpResources
Returns a reference to the IPv6 address resources if present.
sourcepub fn has_ip_resources(&self) -> bool
pub fn has_ip_resources(&self) -> bool
Returns whether the certificate has any IP resources at all.
sourcepub fn as_resources(&self) -> &AsResources
pub fn as_resources(&self) -> &AsResources
Returns a reference to the AS resources.
sourcepub fn is_self_signed(&self) -> bool
pub fn is_self_signed(&self) -> bool
Returns whether this is a self-signed certificate if valid.
sourcepub fn encode_ref(&self) -> impl Values + '_
pub fn encode_ref(&self) -> impl Values + '_
Returns an encoder for the value.
Trait Implementations
sourceimpl<'de> Deserialize<'de> for Cert
impl<'de> Deserialize<'de> for Cert
sourcefn deserialize<D: Deserializer<'de>>(deserializer: D) -> Result<Self, D::Error>
fn deserialize<D: Deserializer<'de>>(deserializer: D) -> Result<Self, D::Error>
Deserialize this value from the given Serde deserializer. Read more
Auto Trait Implementations
impl RefUnwindSafe for Cert
impl Send for Cert
impl Sync for Cert
impl Unpin for Cert
impl UnwindSafe for Cert
Blanket Implementations
sourceimpl<T> BorrowMut<T> for T where
T: ?Sized,
impl<T> BorrowMut<T> for T where
T: ?Sized,
const: unstable · sourcepub fn borrow_mut(&mut self) -> &mut T
pub fn borrow_mut(&mut self) -> &mut T
Mutably borrows from an owned value. Read more
sourceimpl<T> ToOwned for T where
T: Clone,
impl<T> ToOwned for T where
T: Clone,
type Owned = T
type Owned = T
The resulting type after obtaining ownership.
sourcepub fn to_owned(&self) -> T
pub fn to_owned(&self) -> T
Creates owned data from borrowed data, usually by cloning. Read more
sourcepub fn clone_into(&self, target: &mut T)
pub fn clone_into(&self, target: &mut T)
toowned_clone_into
)Uses borrowed data to replace owned data, usually by cloning. Read more