1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115

use crate::extensions::*;
use crate::validate::*;
use std::collections::HashSet;

// extra-pedantic checks

const WARN_SHOULD_BE_CRITICAL: bool = false;

macro_rules! test_critical {
    (MUST $ext:ident, $l:ident, $name:expr) => {
        if !$ext.critical {
            $l.err(&format!("Extension {} MUST be critical, but is not", $name));
        }
    };
    (MUST NOT $ext:ident, $l:ident, $name:expr) => {
        if $ext.critical {
            $l.err(&format!("Extension {} MUST NOT be critical, but is", $name));
        }
    };
    (SHOULD $ext:ident, $l:ident, $name:expr) => {
        if WARN_SHOULD_BE_CRITICAL && !$ext.critical {
            $l.warn(&format!(
                "Extension {} SHOULD be critical, but is not",
                $name
            ));
        }
    };
    (SHOULD NOT $ext:ident, $l:ident, $name:expr) => {
        if WARN_SHOULD_BE_CRITICAL && $ext.critical {
            $l.warn(&format!(
                "Extension {} SHOULD NOT be critical, but is",
                $name
            ));
        }
    };
}

#[derive(Debug)]
pub struct X509ExtensionsValidator;

impl<'a> Validator<'a> for X509ExtensionsValidator {
    type Item = &'a [X509Extension<'a>];

    fn validate<L: Logger>(&self, item: &'a Self::Item, l: &'_ mut L) -> bool {
        let mut res = true;
        // check for duplicate extensions
        {
            let mut m = HashSet::new();
            for ext in item.iter() {
                if m.contains(&ext.oid) {
                    l.err(&format!("Duplicate extension {}", ext.oid));
                    res = false;
                } else {
                    m.insert(ext.oid.clone());
                }
            }
        }

        for ext in item.iter() {
            // specific extension checks
            match ext.parsed_extension() {
                ParsedExtension::AuthorityKeyIdentifier(aki) => {
                    // Conforming CAs MUST mark this extension as non-critical
                    test_critical!(MUST NOT ext, l, "AKI");
                    // issuer or serial is present must be either both present or both absent
                    if aki.authority_cert_issuer.is_some() ^ aki.authority_cert_serial.is_some() {
                        l.warn("AKI: only one of Issuer and Serial is present");
                    }
                }
                ParsedExtension::CertificatePolicies(policies) => {
                    // A certificate policy OID MUST NOT appear more than once in a
                    // certificate policies extension.
                    let mut policy_oids = HashSet::new();
                    for policy_info in policies {
                        if policy_oids.contains(&policy_info.policy_id) {
                            l.err(&format!(
                                "Certificate Policies: duplicate policy {}",
                                policy_info.policy_id
                            ));
                            res = false;
                        } else {
                            policy_oids.insert(policy_info.policy_id.clone());
                        }
                    }
                }
                ParsedExtension::KeyUsage(ku) => {
                    // SHOULD be critical
                    test_critical!(SHOULD ext, l, "KeyUsage");
                    // When the keyUsage extension appears in a certificate, at least one of the bits
                    // MUST be set to 1.
                    if ku.flags == 0 {
                        l.err("KeyUsage: all flags are set to 0");
                    }
                }
                ParsedExtension::SubjectAlternativeName(san) => {
                    // SHOULD be non-critical
                    test_critical!(SHOULD NOT ext, l, "SubjectAltName");
                    for name in &san.general_names {
                        match name {
                            GeneralName::DNSName(ref s) | GeneralName::RFC822Name(ref s) => {
                                // should be an ia5string
                                if !s.as_bytes().iter().all(u8::is_ascii) {
                                    l.warn(&format!("Invalid charset in 'SAN' entry '{}'", s));
                                }
                            }
                            _ => (),
                        }
                    }
                }
                _ => (),
            }
        }
        res
    }
}