From 49dd508df516568f634209fad64366d74a8c9781 Mon Sep 17 00:00:00 2001 From: Alex Cameron Date: Tue, 24 Oct 2023 18:55:34 +1100 Subject: [PATCH] validation: add Rust-side certificate validation helpers --- .../src/certificate.rs | 20 +++++++++++++++++++ .../cryptography-x509-validation/src/lib.rs | 1 + 2 files changed, 21 insertions(+) create mode 100644 src/rust/cryptography-x509-validation/src/certificate.rs diff --git a/src/rust/cryptography-x509-validation/src/certificate.rs b/src/rust/cryptography-x509-validation/src/certificate.rs new file mode 100644 index 000000000000..01342ced2531 --- /dev/null +++ b/src/rust/cryptography-x509-validation/src/certificate.rs @@ -0,0 +1,20 @@ +// This file is dual licensed under the terms of the Apache License, Version +// 2.0, and the BSD License. See the LICENSE file in the root of this repository +// for complete details. + +//! Validation-specific certificate functionality. + +use cryptography_x509::certificate::Certificate; + +use crate::ops::CryptoOps; + +pub(crate) fn cert_is_self_issued(cert: &Certificate<'_>) -> bool { + cert.issuer() == cert.subject() +} + +pub(crate) fn cert_is_self_signed(cert: &Certificate<'_>, ops: &B) -> bool { + match ops.public_key(cert) { + Ok(pk) => cert_is_self_issued(cert) && ops.verify_signed_by(cert, pk).is_ok(), + Err(_) => false, + } +} diff --git a/src/rust/cryptography-x509-validation/src/lib.rs b/src/rust/cryptography-x509-validation/src/lib.rs index 972f357fd4c2..db654a547540 100644 --- a/src/rust/cryptography-x509-validation/src/lib.rs +++ b/src/rust/cryptography-x509-validation/src/lib.rs @@ -5,6 +5,7 @@ #![forbid(unsafe_code)] #![deny(rust_2018_idioms, clippy::undocumented_unsafe_blocks)] +pub mod certificate; pub mod ops; pub mod policy; pub mod trust_store;