Skip to content

x509-cert: Only allow Certificates to be constructed via either the builder or deserialization #1486

Description

@str4d

The Certificate type is currently completely transparent:

pub type Certificate = CertificateInner<Rfc5280>;

pub struct CertificateInner<P: Profile + 'static = Rfc5280> {
pub tbs_certificate: TbsCertificateInner<P>,
pub signature_algorithm: AlgorithmIdentifierOwned,
pub signature: BitString,
}

pub struct TbsCertificateInner<P: Profile + 'static = Rfc5280> {
/// The certificate version
///
/// Note that this value defaults to Version 1 per the RFC. However,
/// fields such as `issuer_unique_id`, `subject_unique_id` and `extensions`
/// require later versions. Care should be taken in order to ensure
/// standards compliance.
#[asn1(context_specific = "0", default = "Default::default")]
pub version: Version,
pub serial_number: SerialNumber<P>,
pub signature: AlgorithmIdentifierOwned,
pub issuer: Name,
pub validity: Validity,
pub subject: Name,
pub subject_public_key_info: SubjectPublicKeyInfoOwned,
#[asn1(context_specific = "1", tag_mode = "IMPLICIT", optional = "true")]
pub issuer_unique_id: Option<BitString>,
#[asn1(context_specific = "2", tag_mode = "IMPLICIT", optional = "true")]
pub subject_unique_id: Option<BitString>,
#[asn1(context_specific = "3", tag_mode = "EXPLICIT", optional = "true")]
pub extensions: Option<crate::ext::Extensions>,
}

This enables arbitrarily-invalid Certificates to be constructed. In particular, this means that the P: Profile generic parameter cannot be trusted; if a downstream API receives an &CertificateInner<Rfc5280>, they have zero guarantee that it is actually valid under the RFC 5280 profile.

The x509-cert crate's public API should be altered to make Certificate (and all types below it) opaque, replacing direct field access with getter methods. This would then enable Certificates to be correct-by-construction, by enforcing the relevant Profile in the builder or during deserialization.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions