Add KDL node for CertificateLists & command to generate them

It's common for lists of certificates to be concatenated and
stored or transferred as a single file / unit. Different applications /
protocols may expect or produce a particular ordering. In rare cases
certs in a list may be out of order, or even contain multiple branches.

To support as many use-cases as possible we do not enforce any
particular ordering or relationship between the certificates in a
certificate list. We simply concatenate them in the order specified.

A `CertificateList` is defined in KDL as:
```kdl
certificate-list "name" \
    "cert-name-1" \
    "cert-name-2"
```

The output file name prefix is taken from the first attribute of the KDL
("name" in this example). The suffix `.certlist.pem` is appended to this
`name`. The remaining attributes are the string names assigned to
`certificate` nodes defined elsewhere in the document.

Author: flihp

examples/simple-chain-client-server_ed25519/config.kdl

@@ -175,6 +175,9 @@ certificate "TEST USE ONLY - Test Server A" {
     serial-number "01"
 }
 
+certificate-list "TEST USE ONLY - Test Server A" \
+    "TEST USE ONLY - Test Server A" \
+    "TEST USE ONLY - Test Int A"
 
 certificate "TEST USE ONLY - Test Client A" {
     subject-entity "TEST USE ONLY - Test Client A"

src/config.rs

@@ -20,6 +20,9 @@ pub struct Document {
 
     #[knuffel(children(name = "certificate-request"))]
     pub certificate_requests: Vec<CertificateRequest>,
+
+    #[knuffel(children(name = "certificate-list"))]
+    pub certificate_lists: Vec<CertificateList>,
 }
 
 #[derive(knuffel::Decode, Debug)]
@@ -109,6 +112,15 @@ pub struct CertificateRequest {
     pub digest_algorithm: Option<DigestAlgorithm>,
 }
 
+#[derive(knuffel::Decode, Debug)]
+pub struct CertificateList {
+    #[knuffel(argument)]
+    pub name: String,
+
+    #[knuffel(arguments)]
+    pub certificates: Vec<String>,
+}
+
 #[derive(knuffel::DecodeScalar, Debug)]
 #[allow(non_camel_case_types)]
 pub enum DigestAlgorithm {
@@ -481,5 +493,13 @@ pub fn load_and_validate(path: &std::path::Path) -> Result<Document> {
         }
     }
 
+    for certlist in &doc.certificate_lists {
+        for cert in &certlist.certificates {
+            if !cert_names.contains(cert.as_str()) {
+                miette::bail!("certificate \"{}\" does not exist", cert,)
+            }
+        }
+    }
+
     Ok(doc)
 }

src/main.rs

@@ -46,6 +46,7 @@ enum Action {
     GenerateKeyPairs(GenerateKeyPairsOpts),
     GenerateCertificateRequests(GenerateCertificateRequestsOpts),
     GenerateCertificates(GenerateCertificatesOpts),
+    GenerateCertificateLists(GenerateCertificateListsOpts),
 }
 
 #[derive(clap::Args)]
@@ -69,6 +70,13 @@ struct GenerateCertificatesOpts {
     output_exists: OutputFileExistsBehavior,
 }
 
+#[derive(clap::Args)]
+struct GenerateCertificateListsOpts {
+    /// action to take if an output file already exists
+    #[arg(long, default_value = "overwrite")]
+    output_exists: OutputFileExistsBehavior,
+}
+
 fn write_to_file(
     filename: &str,
     contents: &[u8],
@@ -131,6 +139,26 @@ fn load_entities(entities: &Vec<config::Entity>) -> Result<HashMap<String, Entit
     Ok(entity_map)
 }
 
+fn load_certificates(
+    certificates_cfg: &Vec<config::Certificate>,
+) -> Result<HashMap<String, x509_cert::Certificate>> {
+    let mut certs = HashMap::new();
+
+    for cert_cfg in certificates_cfg {
+        let cert_filename = format!("{}.cert.pem", cert_cfg.name);
+        let cert_pem = std::fs::read_to_string(&cert_filename)
+            .into_diagnostic()
+            .wrap_err(format!(
+                "Unable to load certificate \"{}\" from \"{}\"",
+                cert_cfg.name, &cert_filename
+            ))?;
+        let cert = x509_cert::Certificate::from_pem(cert_pem).into_diagnostic()?;
+        certs.insert(cert_cfg.name.clone(), cert);
+    }
+
+    Ok(certs)
+}
+
 fn main() -> Result<()> {
     let opts = Options::parse();
 
@@ -145,6 +173,26 @@ fn main() -> Result<()> {
     ))?;
 
     match opts.action {
+        Action::GenerateCertificateLists(action_opts) => {
+            let certificates = load_certificates(&doc.certificates)?;
+            for certlist_cfg in &doc.certificate_lists {
+                let mut cert_chain = String::new();
+                let certlist_filename = format!("{}.certlist.pem", certlist_cfg.name);
+                println!("Writing pki path to \"{}\"", &certlist_filename);
+                for cert_name in &certlist_cfg.certificates {
+                    let cert = certificates.get(cert_name).ok_or(miette!(
+                        "Certificate does not exist: {}",
+                        &certlist_cfg.name
+                    ))?;
+                    cert_chain += &cert.to_pem(LineEnding::CRLF).into_diagnostic()?;
+                }
+                write_to_file(
+                    &certlist_filename,
+                    cert_chain.as_bytes(),
+                    action_opts.output_exists,
+                )?
+            }
+        }
         Action::GenerateKeyPairs(action_opts) => {
             for kp_config in &doc.key_pairs {
                 let kp = <dyn KeyPair>::new(kp_config)?;