Struct x509_certificate::rfc5280::TbsCertificate

pub struct TbsCertificate {
    pub version: Option<Version>,
    pub serial_number: CertificateSerialNumber,
    pub signature: AlgorithmIdentifier,
    pub issuer: Name,
    pub validity: Validity,
    pub subject: Name,
    pub subject_public_key_info: SubjectPublicKeyInfo,
    pub issuer_unique_id: Option<UniqueIdentifier>,
    pub subject_unique_id: Option<UniqueIdentifier>,
    pub extensions: Option<Extensions>,
    pub raw_data: Option<Vec<u8>>,
}

TBS Certificate.

This holds most of the metadata within an X.509 certificate.

TBSCertificate  ::=  SEQUENCE  {
     version         [0]  Version DEFAULT v1,
     serialNumber         CertificateSerialNumber,
     signature            AlgorithmIdentifier,
     issuer               Name,
     validity             Validity,
     subject              Name,
     subjectPublicKeyInfo SubjectPublicKeyInfo,
     issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL,
                          -- If present, version MUST be v2 or v3
     subjectUniqueID [2]  IMPLICIT UniqueIdentifier OPTIONAL,
                          -- If present, version MUST be v2 or v3
     extensions      [3]  Extensions OPTIONAL
                          -- If present, version MUST be v3 --  }

Fields

version: Option<Version>

serial_number: CertificateSerialNumber

signature: AlgorithmIdentifier

issuer: Name

validity: Validity

subject: Name

subject_public_key_info: SubjectPublicKeyInfo

issuer_unique_id: Option<UniqueIdentifier>

subject_unique_id: Option<UniqueIdentifier>

extensions: Option<Extensions>

raw_data: Option<Vec<u8>>

Raw bytes this instance was constructed from.

This is what signature verification should be performed against.

Implementations

impl TbsCertificate

pub fn take_from<S: Source>(
    cons: &mut Constructed<'_, S>
) -> Result<Self, DecodeError<S::Error>>

Examples found in repository

src/rfc5280.rs (line 194)

    pub fn from_sequence<S: Source>(
        cons: &mut Constructed<S>,
    ) -> Result<Self, DecodeError<S::Error>> {
        let tbs_certificate = TbsCertificate::take_from(cons)?;
        let signature_algorithm = AlgorithmIdentifier::take_from(cons)?;
        let signature = BitString::take_from(cons)?;

        Ok(Self {
            tbs_certificate,
            signature_algorithm,
            signature,
        })
    }

pub fn encode_ref(&self) -> impl Values + '_

Examples found in repository

src/rfc5280.rs (line 207)

    pub fn encode_ref(&self) -> impl Values + '_ {
        encode::sequence((
            self.tbs_certificate.encode_ref(),
            &self.signature_algorithm,
            self.signature.encode_ref(),
        ))
    }

src/certificate.rs (line 1013)

    pub fn create_with_random_keypair(
        &self,
    ) -> Result<
        (
            CapturedX509Certificate,
            InMemorySigningKeyPair,
            ring::pkcs8::Document,
        ),
        Error,
    > {
        let (key_pair, document) = InMemorySigningKeyPair::generate_random(self.key_algorithm)?;

        let key_pair_signature_algorithm = key_pair.signature_algorithm();

        let issuer = if let Some(issuer) = &self.issuer {
            issuer
        } else {
            &self.subject
        };

        let tbs_certificate = rfc5280::TbsCertificate {
            version: Some(rfc5280::Version::V3),
            serial_number: self.serial_number.into(),
            signature: key_pair_signature_algorithm?.into(),
            issuer: issuer.clone(),
            validity: rfc5280::Validity {
                not_before: Time::from(self.not_before),
                not_after: Time::from(self.not_after),
            },
            subject: self.subject.clone(),
            subject_public_key_info: rfc5280::SubjectPublicKeyInfo {
                algorithm: key_pair
                    .key_algorithm()
                    .expect("InMemorySigningKeyPair always has known key algorithm")
                    .into(),
                subject_public_key: BitString::new(0, key_pair.public_key_data()),
            },
            issuer_unique_id: None,
            subject_unique_id: None,
            extensions: if self.extensions.is_empty() {
                None
            } else {
                Some(self.extensions.clone())
            },
            raw_data: None,
        };

        // Now encode the TBS certificate so we can sign it with the private key
        // and include its signature.
        let mut tbs_der = Vec::<u8>::new();
        tbs_certificate
            .encode_ref()
            .write_encoded(Mode::Der, &mut tbs_der)?;

        let signature = key_pair.try_sign(&tbs_der)?;
        let signature_algorithm = key_pair.signature_algorithm()?;

        let cert = rfc5280::Certificate {
            tbs_certificate,
            signature_algorithm: signature_algorithm.into(),
            signature: BitString::new(0, Bytes::copy_from_slice(signature.as_ref())),
        };

        let cert = X509Certificate::from(cert);
        let cert_der = cert.encode_der()?;

        let cert = CapturedX509Certificate::from_der(cert_der)?;

        Ok((cert, key_pair, document))
    }

Trait Implementations

impl Clone for TbsCertificate

fn clone(&self) -> TbsCertificate

Returns a copy of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for TbsCertificate

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl PartialEq<TbsCertificate> for TbsCertificate

fn eq(&self, other: &TbsCertificate) -> bool

This method tests for self and other values to be equal, and is used by ==.

fn ne(&self, other: &Rhs) -> bool

This method tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.

impl Eq for TbsCertificate

impl StructuralEq for TbsCertificate

impl StructuralPartialEq for TbsCertificate