Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

validation: add Rust-side trust store APIs #9744

Merged
merged 2 commits into from
Oct 22, 2023
Merged

validation: add Rust-side trust store APIs #9744

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
ab26e06
validation: add Rust-side trust store APIs
woodruffw Oct 20, 2023
bb38d2f
remove 'static hacks
woodruffw Oct 22, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions src/rust/cryptography-x509-validation/src/lib.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,4 +7,5 @@

pub mod ops;
pub mod policy;
pub mod trust_store;
pub mod types;
22 changes: 15 additions & 7 deletions src/rust/cryptography-x509-validation/src/ops.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,10 +45,9 @@ pub(crate) mod tests {
}
}

#[test]
fn test_nullops() {
// Arbitrary relatively small cert (v1_cert.pem from cryptography_vectors).
let v1_cert = "
pub(crate) fn v1_cert_pem() -> pem::Pem {
pem::parse(
"
-----BEGIN CERTIFICATE-----
MIIBWzCCAQYCARgwDQYJKoZIhvcNAQEEBQAwODELMAkGA1UEBhMCQVUxDDAKBgNV
BAgTA1FMRDEbMBkGA1UEAxMSU1NMZWF5L3JzYSB0ZXN0IENBMB4XDTk1MDYxOTIz
Expand All @@ -58,10 +57,19 @@ AANLADBIAkEAqtt6qS5GTxVxGZYWa0/4u+IwHf7p2LNZbcPBp9/OfIcYAXBQn8hO
/Re1uwLKXdCjIoaGs4DLdG88rkzfyK5dPQIDAQABMAwGCCqGSIb3DQIFBQADQQAE
Wc7EcF8po2/ZO6kNCwK/ICH6DobgLekA5lSLr5EvuioZniZp5lFzAw4+YzPQ7XKJ
zl9HYIMxATFyqSiD9jsx
-----END CERTIFICATE-----";
-----END CERTIFICATE-----",
)
.unwrap()
}

let pem = pem::parse(v1_cert.as_bytes()).unwrap();
let cert = asn1::parse_single::<Certificate<'_>>(pem.contents()).unwrap();
pub(crate) fn cert(cert_pem: &pem::Pem) -> Certificate<'_> {
asn1::parse_single(cert_pem.contents()).unwrap()
}

#[test]
fn test_nullops() {
let cert_pem = v1_cert_pem();
let cert = cert(&cert_pem);

let ops = NullOps {};
assert_eq!(ops.public_key(&cert), Ok(()));
Expand Down
44 changes: 44 additions & 0 deletions src/rust/cryptography-x509-validation/src/trust_store.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
// This file is dual licensed under the terms of the Apache License, Version
// 2.0, and the BSD License. See the LICENSE file in the root of this repository
// for complete details.

use std::collections::HashSet;

use cryptography_x509::certificate::Certificate;

/// A `Store` represents the core state needed for X.509 path validation.
pub struct Store<'a>(HashSet<Certificate<'a>>);

impl<'a> Store<'a> {
/// Create a new `Store` from the given iterable certificate source.
pub fn new(trusted: impl IntoIterator<Item = Certificate<'a>>) -> Self {
Store(HashSet::from_iter(trusted))
}

/// Returns whether this store contains the given certificate.
pub fn contains(&self, cert: &Certificate<'a>) -> bool {
self.0.contains(cert)
}

/// Returns an iterator over all certificates in this store.
pub fn iter(&self) -> impl Iterator<Item = &Certificate<'a>> {
self.0.iter()
}
}

#[cfg(test)]
mod tests {
use crate::ops::tests::{cert, v1_cert_pem};

use super::Store;

#[test]
fn test_store() {
let cert_pem = v1_cert_pem();
let cert = cert(&cert_pem);
let store = Store::new([cert.clone()]);

assert!(store.contains(&cert));
assert!(store.iter().collect::<Vec<_>>() == Vec::from([&cert]));
}
}