x509_cert/ext/
pkix.rs

1//! PKIX X.509 Certificate Extensions (RFC 5280)
2
3pub mod certpolicy;
4pub mod constraints;
5pub mod crl;
6pub mod name;
7
8mod access;
9mod authkeyid;
10mod keyusage;
11mod policymap;
12#[cfg(feature = "sct")]
13pub mod sct;
14
15use crate::attr::AttributeTypeAndValue;
16
17pub use access::{AccessDescription, AuthorityInfoAccessSyntax, SubjectInfoAccessSyntax};
18pub use authkeyid::AuthorityKeyIdentifier;
19pub use certpolicy::CertificatePolicies;
20use const_oid::{AssociatedOid, ObjectIdentifier};
21pub use constraints::{BasicConstraints, NameConstraints, PolicyConstraints};
22pub use crl::{
23    BaseCrlNumber, CrlDistributionPoints, CrlNumber, CrlReason, FreshestCrl,
24    IssuingDistributionPoint,
25};
26pub use keyusage::{ExtendedKeyUsage, KeyUsage, KeyUsages, PrivateKeyUsagePeriod};
27pub use policymap::{PolicyMapping, PolicyMappings};
28
29#[cfg(feature = "sct")]
30pub use sct::{
31    Error, HashAlgorithm, SerializedSct, SignatureAlgorithm, SignatureAndHashAlgorithm,
32    SignedCertificateTimestamp, SignedCertificateTimestampList, Version,
33};
34
35pub use const_oid::db::rfc5280::{
36    ID_CE_INHIBIT_ANY_POLICY, ID_CE_ISSUER_ALT_NAME, ID_CE_SUBJECT_ALT_NAME,
37    ID_CE_SUBJECT_DIRECTORY_ATTRIBUTES, ID_CE_SUBJECT_KEY_IDENTIFIER,
38};
39
40use alloc::vec::Vec;
41
42use der::asn1::OctetString;
43
44/// SubjectKeyIdentifier as defined in [RFC 5280 Section 4.2.1.2].
45///
46/// ```text
47/// SubjectKeyIdentifier ::= KeyIdentifier
48/// ```
49///
50/// [RFC 5280 Section 4.2.1.2]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.2
51#[derive(Clone, Debug, PartialEq, Eq)]
52pub struct SubjectKeyIdentifier(pub OctetString);
53
54impl AssociatedOid for SubjectKeyIdentifier {
55    const OID: ObjectIdentifier = ID_CE_SUBJECT_KEY_IDENTIFIER;
56}
57
58impl_newtype!(SubjectKeyIdentifier, OctetString);
59impl_extension!(SubjectKeyIdentifier, critical = false);
60impl_key_identifier!(
61    SubjectKeyIdentifier,
62    (|result: &[u8]| Ok(Self(OctetString::new(result)?)))
63);
64
65/// SubjectAltName as defined in [RFC 5280 Section 4.2.1.6].
66///
67/// ```text
68/// SubjectAltName ::= GeneralNames
69/// ```
70///
71/// [RFC 5280 Section 4.2.1.6]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.6
72#[derive(Clone, Debug, Default, PartialEq, Eq)]
73pub struct SubjectAltName(pub name::GeneralNames);
74
75impl AssociatedOid for SubjectAltName {
76    const OID: ObjectIdentifier = ID_CE_SUBJECT_ALT_NAME;
77}
78
79impl_newtype!(SubjectAltName, name::GeneralNames);
80
81impl crate::ext::AsExtension for SubjectAltName {
82    fn critical(&self, subject: &crate::name::Name, _extensions: &[super::Extension]) -> bool {
83        // https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.6
84        //   Further, if the only subject identity included in the certificate is
85        //   an alternative name form (e.g., an electronic mail address), then the
86        //   subject distinguished name MUST be empty (an empty sequence), and the
87        //   subjectAltName extension MUST be present.  If the subject field
88        //   contains an empty sequence, then the issuing CA MUST include a
89        //   subjectAltName extension that is marked as critical.  When including
90        //   the subjectAltName extension in a certificate that has a non-empty
91        //   subject distinguished name, conforming CAs SHOULD mark the
92        //   subjectAltName extension as non-critical.
93
94        subject.is_empty()
95    }
96}
97
98/// IssuerAltName as defined in [RFC 5280 Section 4.2.1.7].
99///
100/// ```text
101/// IssuerAltName ::= GeneralNames
102/// ```
103///
104/// [RFC 5280 Section 4.2.1.7]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.7
105#[derive(Clone, Debug, Default, PartialEq, Eq)]
106pub struct IssuerAltName(pub name::GeneralNames);
107
108impl AssociatedOid for IssuerAltName {
109    const OID: ObjectIdentifier = ID_CE_ISSUER_ALT_NAME;
110}
111
112impl_newtype!(IssuerAltName, name::GeneralNames);
113impl_extension!(IssuerAltName, critical = false);
114
115/// SubjectDirectoryAttributes as defined in [RFC 5280 Section 4.2.1.8].
116///
117/// ```text
118/// SubjectDirectoryAttributes ::= SEQUENCE SIZE (1..MAX) OF AttributeSet
119/// ```
120///
121/// [RFC 5280 Section 4.2.1.8]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.8
122#[derive(Clone, Debug, Default, PartialEq, Eq)]
123pub struct SubjectDirectoryAttributes(pub Vec<AttributeTypeAndValue>);
124
125impl AssociatedOid for SubjectDirectoryAttributes {
126    const OID: ObjectIdentifier = ID_CE_SUBJECT_DIRECTORY_ATTRIBUTES;
127}
128
129impl_newtype!(SubjectDirectoryAttributes, Vec<AttributeTypeAndValue>);
130impl_extension!(SubjectDirectoryAttributes, critical = false);
131
132/// InhibitAnyPolicy as defined in [RFC 5280 Section 4.2.1.14].
133///
134/// ```text
135/// InhibitAnyPolicy ::= SkipCerts
136/// ```
137///
138/// [RFC 5280 Section 4.2.1.14]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.14
139#[derive(Copy, Clone, Debug, Default, PartialEq, Eq)]
140pub struct InhibitAnyPolicy(pub u32);
141
142impl AssociatedOid for InhibitAnyPolicy {
143    const OID: ObjectIdentifier = ID_CE_INHIBIT_ANY_POLICY;
144}
145
146impl_newtype!(InhibitAnyPolicy, u32);
147impl_extension!(InhibitAnyPolicy, critical = true);