Trait tugger_apple_codesign::AppleCertificate[][src]

pub trait AppleCertificate: Sized {
    fn is_apple_root_ca(&self) -> bool;

    fn is_apple_intermediate_ca(&self) -> bool;

    fn apple_ca_extension(&self) -> Option<CertificateAuthorityExtension>;

    fn apple_extended_key_usage_purposes(&self) -> Vec<ExtendedKeyUsagePurpose>;

    fn apple_code_signing_extensions(
        &self
    ) -> Vec<CodeSigningCertificateExtension>;

    fn apple_guess_profile(&self) -> Option<CertificateProfile>;

    fn apple_issuing_chain(&self) -> Vec<KnownCertificate>;

    fn chains_to_apple_root_ca(&self) -> bool;

    fn apple_root_certificate_chain(
        &self
    ) -> Option<Vec<CapturedX509Certificate>>;

    fn apple_team_id(&self) -> Option<String>;
}
Expand description

Extends functionality of CapturedX509Certificate with Apple specific certificate knowledge.

Required methods

Whether this is a known Apple root certificate authority.

We define this criteria as a certificate in our built-in list of known Apple certificates that has the same subject and issuer Names.

Whether this is a known Apple intermediate certificate authority.

This is similar to Self::is_apple_root_ca except it doesn’t match against known self-signed Apple certificates.

Find a CertificateAuthorityExtension present on this certificate.

If this returns Some(T), the certificate says it is an Apple certificate whose role is issuing other certificates using for signing things.

This function does not perform trust validation that the underlying certificate is a legitimate Apple issued certificate: just that it has the desired property.

Obtain all of Apple’s ExtendedKeyUsagePurpose in this certificate.

Obtain all of Apple’s CodeSigningCertificateExtension in this certificate.

Attempt to guess the CertificateProfile associated with this certificate.

This keys off present certificate extensions to guess which profile it belongs to. Incorrect guesses are possible, which is why guess is in the function name.

Returns None if we don’t think a CertificateProfile is associated with this extension.

Attempt to resolve the certificate issuer chain back to AppleCertificate.

This is a glorified wrapper around CapturedX509Certificate::resolve_signing_chain that filters matches against certificates in our known set of Apple certificates and maps them back to our KnownCertificate Rust enumeration.

False negatives (read: missing certificates) can be encountered if we don’t know about an Apple CA certificate.

Whether this certificate chains back to a known Apple root certificate authority.

This is true if the resolved certificate issuance chain (which is confirmed via verifying the cryptographic signatures on certificates) ands in a certificate that is known to be an Apple root CA.

Obtain the chain of issuing certificates, back to a known Apple root.

The returned chain starts with this certificate and ends with a known Apple root certificate authority. None is returned if this certificate doesn’t appear to chain to a known Apple root CA.

Attempt to resolve the team id of an Apple issued certificate.

The team id is a value like AB42XYZ789 that is attached to your Apple Developer account. It seems to always be embedded in signing certificates as the Organizational Unit field of the subject. So this function is just a shortcut for retrieving that.

Implementations on Foreign Types

Implementors