1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
|
#![cfg(all(feature = "alloc", any(feature = "ring", feature = "aws-lc-rs")))]
use core::time::Duration;
use pki_types::{CertificateDer, UnixTime};
use webpki::{KeyUsage, RequiredEkuNotFoundContext, anchor_from_trusted_cert};
fn check_cert(
ee: &[u8],
ca: &[u8],
eku: KeyUsage,
time: UnixTime,
result: Result<(), webpki::Error>,
) {
let ca = CertificateDer::from(ca);
let anchors = [anchor_from_trusted_cert(&ca).unwrap()];
let ee = CertificateDer::from(ee);
let cert = webpki::EndEntityCert::try_from(&ee).unwrap();
assert_eq!(
cert.verify_for_usage(
webpki::ALL_VERIFICATION_ALGS,
&anchors,
&[],
time,
eku,
None,
None,
)
.map(|_| ()),
result
);
}
#[test]
pub fn verify_custom_eku_mdoc() {
let time = UnixTime::since_unix_epoch(Duration::from_secs(1_609_459_200)); // Jan 1 01:00:00 CET 2021
let ee = include_bytes!("misc/mdoc_eku.ee.der");
let ca = include_bytes!("misc/mdoc_eku.ca.der");
let eku_mdoc = KeyUsage::required(&[40, 129, 140, 93, 5, 1, 2]);
check_cert(ee, ca, eku_mdoc, time, Ok(()));
check_cert(
ee,
ca,
KeyUsage::server_auth(),
time,
Err(webpki::Error::RequiredEkuNotFoundContext(
RequiredEkuNotFoundContext {
required: KeyUsage::server_auth(),
present: vec![vec![1, 0, 68701, 5, 1, 2]],
},
)),
);
check_cert(ee, ca, eku_mdoc, time, Ok(()));
check_cert(
ee,
ca,
KeyUsage::server_auth(),
time,
Err(webpki::Error::RequiredEkuNotFoundContext(
RequiredEkuNotFoundContext {
required: KeyUsage::server_auth(),
present: vec![vec![1, 0, 68701, 5, 1, 2]],
},
)),
);
}
#[test]
pub fn verify_custom_eku_client() {
let time = UnixTime::since_unix_epoch(Duration::from_secs(0x1fed_f00d));
let ee = include_bytes!("custom_ekus/cert_with_no_eku_accepted_for_client_auth.ee.der");
let ca = include_bytes!("custom_ekus/cert_with_no_eku_accepted_for_client_auth.ca.der");
check_cert(ee, ca, KeyUsage::client_auth(), time, Ok(()));
let ee = include_bytes!("custom_ekus/cert_with_both_ekus_accepted_for_client_auth.ee.der");
let ca = include_bytes!("custom_ekus/cert_with_both_ekus_accepted_for_client_auth.ca.der");
check_cert(ee, ca, KeyUsage::client_auth(), time, Ok(()));
check_cert(ee, ca, KeyUsage::server_auth(), time, Ok(()));
}
#[test]
pub fn verify_custom_eku_required_if_present() {
let time = UnixTime::since_unix_epoch(Duration::from_secs(0x1fed_f00d));
let eku = KeyUsage::required_if_present(&[43, 6, 1, 5, 5, 7, 3, 2]);
let ee = include_bytes!("custom_ekus/cert_with_no_eku_accepted_for_client_auth.ee.der");
let ca = include_bytes!("custom_ekus/cert_with_no_eku_accepted_for_client_auth.ca.der");
check_cert(ee, ca, eku, time, Ok(()));
let ee = include_bytes!("custom_ekus/cert_with_both_ekus_accepted_for_client_auth.ee.der");
let ca = include_bytes!("custom_ekus/cert_with_both_ekus_accepted_for_client_auth.ca.der");
check_cert(ee, ca, eku, time, Ok(()));
}
|
