Struct rpki::repository::cert::Cert

pub struct Cert { /* private fields */ }

A raw resource certificate.

A value of this type represents a resource certificate. It can be one of three different variants.

A CA certificate appears in its own file in the repository. Its main use is to sign other certificates.

An EE certificate is used to sign other objects in the repository, such as manifests or ROAs and is included in the file of these objects. In RPKI, EE certificates are used only once. Whenever a new object is created, a new EE certificate is created, signed by its CA, used to sign the object, and then the private key is thrown away.

Finally, TA certificates are the installed trust anchors. These are self-signed.

If a certificate is stored in a file, you can use the decode function to parse the entire file. If the certificate is part of some other structure, the take_from and from_constructed functions can be used during parsing of that structure.

Once parsing succeeded, the three methods validate_ca, validate_ee, and validate_ta can be used to validate the certificate and turn it into a ResourceCert so it can be used for further processing. In addition, various methods exist to access information contained in the certificate.

Implementations

impl Cert

Decoding and Encoding

pub fn decode<S: Source>(source: S) -> Result<Self, S::Err>

Decodes a source as a certificate.

pub fn take_from<S: Source>(
    cons: &mut Constructed<'_, S>
) -> Result<Self, S::Err>

Takes an encoded certificate from the beginning of a value.

This function assumes that the certificate is encoded in the next constructed value in cons tagged as a sequence.

pub fn take_opt_from<S: Source>(
    cons: &mut Constructed<'_, S>
) -> Result<Option<Self>, S::Err>

Takes an optional certificate from the beginning of a value.

pub fn from_constructed<S: Source>(
    cons: &mut Constructed<'_, S>
) -> Result<Self, S::Err>

Parses the content of a Certificate sequence.

pub fn encode_ref(&self) -> impl Values + '_

Returns a value encoder for a reference to the certificate.

pub fn to_captured(&self) -> Captured

Returns a captured encoding of the certificate.

impl Cert

Validation

When validating a certificate, two properties are checked: whether the certificate’s structure and content comply with the specification for resource certificates laid out in [RFC 6487] and whether the certificate has been correctly issued by its CA.

In some cases it is useful to perform these two steps separately. Therefore, methods are available both for each step and for doing both steps at once. Since we need to name these consistently, we devised the following convention:

The first step that validates compliance with the specification is called inspection. Methods are available to inspect different kinds of certificates. They all have the verb inspect in their name. Only the certificate itself is necessary to perform inspection.

The second step checking whether the certificate was correctly issued is called verification. Methods are available to verify different kinds of certificates. They all have the verb verify in their name and, in most cases, require access to the issuer certificate.

In addition, methods are available to perform both steps at once for different kinds of certificates. These all have validate in their name.

pub fn validate_ta(
    self,
    tal: Arc<TalInfo>,
    strict: bool
) -> Result<ResourceCert, ValidationError>

Validates the certificate as a trust anchor.

This validates that the certificate “is a current, self-signed RPKI CA certificate that conforms to the profile as specified in RFC6487” (RFC7730, section 3, step 2).

pub fn validate_ta_at(
    self,
    tal: Arc<TalInfo>,
    strict: bool,
    now: Time
) -> Result<ResourceCert, ValidationError>

pub fn validate_ca(
    self,
    issuer: &ResourceCert,
    strict: bool
) -> Result<ResourceCert, ValidationError>

Validates the certificate as a CA certificate.

For validation to succeed, the certificate needs to have been signed by the provided issuer certificate.

Note that this does not check the CRL.

pub fn validate_ca_at(
    self,
    issuer: &ResourceCert,
    strict: bool,
    now: Time
) -> Result<ResourceCert, ValidationError>

pub fn validate_ee(
    self,
    issuer: &ResourceCert,
    strict: bool
) -> Result<ResourceCert, ValidationError>

Validates the certificate as an EE RPKI-internal certificate.

For validation to succeed, the certificate needs to have been signed by the provided issuer certificate.

Note that this does not check the CRL.

Note further that this method should not be used for router certificates. Use validate_router for that.

pub fn validate_ee_at(
    self,
    issuer: &ResourceCert,
    strict: bool,
    now: Time
) -> Result<ResourceCert, ValidationError>

pub fn validate_detached_ee(
    self,
    issuer: &ResourceCert,
    strict: bool
) -> Result<ResourceCert, ValidationError>

pub fn validate_detached_ee_at(
    self,
    issuer: &ResourceCert,
    strict: bool,
    now: Time
) -> Result<ResourceCert, ValidationError>

pub fn validate_router(
    &self,
    issuer: &ResourceCert,
    strict: bool
) -> Result<(), ValidationError>

pub fn validate_router_at(
    &self,
    issuer: &ResourceCert,
    strict: bool,
    now: Time
) -> Result<(), ValidationError>

pub fn inspect_ta(&self, strict: bool) -> Result<(), ValidationError>

pub fn inspect_ta_at(
    &self,
    strict: bool,
    now: Time
) -> Result<(), ValidationError>

pub fn inspect_ca(&self, strict: bool) -> Result<(), ValidationError>

pub fn inspect_ca_at(
    &self,
    strict: bool,
    now: Time
) -> Result<(), ValidationError>

pub fn inspect_ee(&self, strict: bool) -> Result<(), ValidationError>

pub fn inspect_ee_at(
    &self,
    strict: bool,
    now: Time
) -> Result<(), ValidationError>

pub fn inspect_detached_ee(&self, strict: bool) -> Result<(), ValidationError>

pub fn inspect_detached_ee_at(
    &self,
    strict: bool,
    now: Time
) -> Result<(), ValidationError>

pub fn inspect_router(&self, strict: bool) -> Result<(), ValidationError>

pub fn inspect_router_at(
    &self,
    strict: bool,
    now: Time
) -> Result<(), ValidationError>

pub fn verify_ta(
    self,
    tal: Arc<TalInfo>,
    _strict: bool
) -> Result<ResourceCert, ValidationError>

pub fn verify_ta_ref(&self, _strict: bool) -> Result<(), ValidationError>

pub fn verify_ca(
    self,
    issuer: &ResourceCert,
    strict: bool
) -> Result<ResourceCert, ValidationError>

pub fn verify_ee(
    self,
    issuer: &ResourceCert,
    strict: bool
) -> Result<ResourceCert, ValidationError>

pub fn verify_router(
    &self,
    issuer: &ResourceCert,
    strict: bool
) -> Result<(), ValidationError>

pub fn verify_issuer_claim(
    &self,
    issuer: &ResourceCert,
    _strict: bool
) -> Result<(), ValidationError>

Verifies that the certificate claims to have been issued by issuer.

This is only the first part of verification. You must call verified_signature, too.

pub fn verify_signature(
    &self,
    issuer: &Cert,
    _strict: bool
) -> Result<(), ValidationError>

Validates the certificate’s signature.

Methods from Deref<Target = TbsCert>

pub fn serial_number(&self) -> Serial

Returns the serial number of the certificate.

pub fn issuer(&self) -> &Name

Returns a reference to the issuer.

pub fn validity(&self) -> Validity

Returns a reference to the validity.

pub fn subject(&self) -> &Name

Returns a reference to the subject.

pub fn subject_public_key_info(&self) -> &PublicKey

Returns a reference to the public key.

pub fn basic_ca(&self) -> Option<bool>

Returns the cA field of the basic constraints extension if present.

pub fn subject_key_identifier(&self) -> KeyIdentifier

Returns a reference to the subject key identifier.

There is no method to set this extension as this happens automatically when the subject public key is set via set_subject_public_key.

pub fn authority_key_identifier(&self) -> Option<KeyIdentifier>

Returns a reference to the authority key identifier if present.

pub fn key_usage(&self) -> KeyUsage

Returns the key usage of the certificate.

pub fn extended_key_usage(&self) -> Option<&Captured>

Returns a reference to the extended key usage if present.

Since this field isn’t allowed in any certificate used for RPKI objects directly, we do not currently support setting this field.

pub fn crl_uri(&self) -> Option<&Rsync>

Returns a reference to the certificate’s CRL distribution point.

pub fn ca_issuer(&self) -> Option<&Rsync>

Returns a reference to caIssuer AIA rsync URI if present.

pub fn ca_repository(&self) -> Option<&Rsync>

Returns a reference to the caRepository SIA rsync URI if present.

pub fn rpki_manifest(&self) -> Option<&Rsync>

Returns a reference to the rpkiManifest SIA rsync URI if present.

pub fn signed_object(&self) -> Option<&Rsync>

Returns a reference to the signedObject SIA rsync URI if present.

pub fn rpki_notify(&self) -> Option<&Https>

Returns a reference to the rpkiNotify SIA HTTPS URI if present.

pub fn overclaim(&self) -> Overclaim

Returns the overclaim mode of the certificate.

pub fn v4_resources(&self) -> &IpResources

Returns a reference to the IPv4 address resources if present.

pub fn v6_resources(&self) -> &IpResources

Returns a reference to the IPv6 address resources if present.

pub fn has_ip_resources(&self) -> bool

Returns whether the certificate has any IP resources at all.

pub fn as_resources(&self) -> &AsResources

Returns a reference to the AS resources.

pub fn is_ca(&self) -> bool

Returns whether this is a CA certificate if validation succeeds.

pub fn is_self_signed(&self) -> bool

Returns whether this is a self-signed certificate if valid.

pub fn encode_ref(&self) -> impl Values + '_

Returns an encoder for the value.

Trait Implementations

impl AsRef<Cert> for Cert

fn as_ref(&self) -> &Self

Performs the conversion.

impl AsRef<Cert> for ResourceCert

fn as_ref(&self) -> &Cert

Performs the conversion.

impl AsRef<TbsCert> for Cert

fn as_ref(&self) -> &TbsCert

Performs the conversion.

impl Borrow<TbsCert> for Cert

fn borrow(&self) -> &TbsCert

Immutably borrows from an owned value.

impl Clone for Cert

fn clone(&self) -> Cert

Returns a copy of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for Cert

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Deref for Cert

type Target = TbsCert

The resulting type after dereferencing.

fn deref(&self) -> &Self::Target

Dereferences the value.

impl<'de> Deserialize<'de> for Cert

fn deserialize<D: Deserializer<'de>>(deserializer: D) -> Result<Self, D::Error>

Deserialize this value from the given Serde deserializer.

impl Serialize for Cert

fn serialize<S: Serializer>(&self, serializer: S) -> Result<S::Ok, S::Error>

Serialize this value into the given Serde serializer.