WIP

wireapp · Nov 22, 2023 · f81ed2f · f81ed2f
1 parent 71a4f18
commit f81ed2f
Show file tree

Hide file tree

Showing 4 changed files with 217 additions and 13 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/acme/Cargo.toml b/acme/Cargo.toml
@@ -21,16 +21,22 @@ url = { version = "2.3", features = ["serde"] }
 time = { version = "0.3", features = ["serde", "serde-well-known", "wasm-bindgen"] }
 x509-cert = "0.2"
 oid-registry = "0.6"
+const-oid = "0.9"
 asn1-rs = "0.5"
 signature = "2"
 ed25519-compact = "2.0"
 p256 = "0.13"
 p384 = "0.13"
 pem = "3.0"
 getrandom = { version = "0.2.8", features = ["js"] }
-
 fluvio-wasm-timer = "0.2"
 
+[dependencies.certval]
+git = "https://github.com/carl-wallace/rust-pki.git"
+package = "certval"
+default-features = false
+features = ["revocation"]
+
 [dev-dependencies]
 wasm-bindgen-test = "0.3"
 hex = "0.4.3"
diff --git a/acme/src/identity/mod.rs b/acme/src/identity/mod.rs
@@ -44,7 +44,7 @@ impl WireIdentityReader for x509_cert::Certificate {
     fn extract_identity(&self) -> RustyAcmeResult<WireIdentity> {
         let (client_id, handle) = try_extract_san(&self.tbs_certificate)?;
         let (display_name, domain) = try_extract_subject(&self.tbs_certificate)?;
-        let status = status::extract_status(&self.tbs_certificate);
+        let status = status::extract_status(&self);
         let thumbprint = thumbprint::try_compute_jwk_canonicalized_thumbprint(&self.tbs_certificate)?;
 
         Ok(WireIdentity {
@@ -105,9 +105,10 @@ fn try_extract_subject(cert: &x509_cert::TbsCertificate) -> RustyAcmeResult<(Str
 
     let mut subjects = cert.subject.0.iter().flat_map(|n| n.0.iter());
     subjects.try_for_each(|s| -> RustyAcmeResult<()> {
-        if s.oid.as_bytes() == oid_registry::OID_X509_ORGANIZATION_NAME.as_bytes() {
+        let oid = s.oid.as_bytes();
+        if oid == oid_registry::OID_X509_ORGANIZATION_NAME.as_bytes() {
             domain = Some(std::str::from_utf8(s.value.value())?);
-        } else if s.oid.as_bytes() == oid_registry::OID_X509_COMMON_NAME.as_bytes() {
+        } else if oid == oid_registry::OID_X509_COMMON_NAME.as_bytes() {
             display_name = Some(std::str::from_utf8(s.value.value())?);
         }
         Ok(())
@@ -123,8 +124,10 @@ fn try_extract_san(cert: &x509_cert::TbsCertificate) -> RustyAcmeResult<(String,
 
     let san = extensions
         .iter()
-        .find(|e| e.extn_id.as_bytes() == oid_registry::OID_X509_EXT_SUBJECT_ALT_NAME.as_bytes())
-        .map(|e| x509_cert::ext::pkix::SubjectAltName::from_der(e.extn_value.as_bytes()))
+        .find_map(|e| {
+            (e.extn_id.as_bytes() == oid_registry::OID_X509_EXT_SUBJECT_ALT_NAME.as_bytes())
+                .then(|| x509_cert::ext::pkix::SubjectAltName::from_der(e.extn_value.as_bytes()))
+        })
         .transpose()?
         .ok_or(CertificateError::InvalidFormat)?;
 
@@ -144,8 +147,7 @@ fn try_extract_san(cert: &x509_cert::TbsCertificate) -> RustyAcmeResult<(String,
             } else if name.starts_with(ClientId::URI_PREFIX) {
                 let h = name
                     .strip_prefix(ClientId::URI_PREFIX)
-                    .ok_or(RustyAcmeError::ImplementationError)?
-                    .strip_prefix(ClientId::HANDLE_PREFIX)
+                    .and_then(|s| s.strip_prefix(ClientId::HANDLE_PREFIX))
                     .ok_or(RustyAcmeError::ImplementationError)?
                     .to_string();
                 handle = Some(h);

diff --git a/acme/src/identity/status.rs b/acme/src/identity/status.rs
@@ -1,9 +1,9 @@
 use super::IdentityStatus;
 
-pub(crate) fn extract_status(cert: &x509_cert::TbsCertificate) -> IdentityStatus {
+pub(crate) fn extract_status(cert: &x509_cert::Certificate) -> IdentityStatus {
     if is_revoked(cert) {
         IdentityStatus::Revoked
-    } else if !is_time_valid(cert) {
+    } else if !is_time_valid(&cert.tbs_certificate) {
         IdentityStatus::Expired
     } else {
         IdentityStatus::Valid
@@ -24,7 +24,39 @@ fn is_time_valid(cert: &x509_cert::TbsCertificate) -> bool {
     is_nbf && is_naf
 }
 
-// TODO
-fn is_revoked(_cert: &x509_cert::TbsCertificate) -> bool {
-    false
+pub(crate) fn extract_crl_distribution_point(cert: &x509_cert::Certificate) -> Option<String> {
+    use certval::validator::{PDVCertificate, PDVExtension};
+    use x509_cert::ext::pkix::name::DistributionPointName;
+
+    let pdv_cert = PDVCertificate::try_from(cert.clone()).ok()?;
+
+    let PDVExtension::CrlDistributionPoints(mut crl_distribution_points) = pdv_cert
+        .parsed_extensions
+        .get(&const_oid::db::rfc5280::ID_CE_CRL_DISTRIBUTION_POINTS)
+        .cloned()?
+    else {
+        return None;
+    };
+
+    let crl_distribution_point = crl_distribution_points.0.pop()?;
+    let distribution_point = crl_distribution_point.distribution_point?;
+    match distribution_point {
+        DistributionPointName::FullName(full_names) => {}
+        DistributionPointName::NameRelativeToCRLIssuer(name_relative_to_issuer) => {
+            let issuer_names = crl_distribution_point.crl_issuer?;
+            // TODO the rest
+        }
+    }
+
+    todo!()
+}
+
+pub(crate) fn is_revoked(cert: &x509_cert::Certificate) -> bool {
+    use certval::validator::PDVCertificate;
+
+    let Ok(pdv_cert) = PDVCertificate::try_from(cert.clone()) else {
+        return false;
+    };
+
+    todo!()
 }