Move CA parser functions to Issuer

djc · djc · commit 3bd3067d98b5 · 2025-06-25T18:04:39.000+02:00
diff --git a/rcgen/src/certificate.rs b/rcgen/src/certificate.rs
@@ -1133,6 +1133,9 @@ pub enum BasicConstraints {
 
 #[cfg(test)]
 mod tests {
+	#[cfg(feature = "x509-parser")]
+	use pki_types::pem::PemObject;
+
 	#[cfg(feature = "pem")]
 	use super::*;
 	#[cfg(feature = "crypto")]
@@ -1290,7 +1293,7 @@ mod tests {
 		}
 	}
 
-	#[cfg(all(feature = "pem", feature = "x509-parser"))]
+	#[cfg(all(feature = "x509-parser"))]
 	mod test_key_identifier_from_ca {
 		use super::*;
 
@@ -1380,22 +1383,20 @@ JiY98T5oN1X0C/qAXxJfSvklbru9fipwGt3dho5Tm6Ee3cYf+plnk4WZhSnqyef4
 PITGdT9dgN88nHPCle0B1+OY+OZ5
 -----END PRIVATE KEY-----"#;
 
-			let params = CertificateParams::from_ca_cert_pem(ca_cert).unwrap();
+			let ca_kp = KeyPair::from_pem(ca_key).unwrap();
+			let ca = Issuer::from_ca_cert_pem(ca_cert, ca_kp).unwrap();
 			let ca_ski = vec![
 				0x97, 0xD4, 0x76, 0xA1, 0x9B, 0x1A, 0x71, 0x35, 0x2A, 0xC7, 0xF4, 0xA1, 0x84, 0x12,
 				0x56, 0x06, 0xBA, 0x5D, 0x61, 0x84,
 			];
 
 			assert_eq!(
-				KeyIdMethod::PreSpecified(ca_ski.clone()),
-				params.key_identifier_method
+				&KeyIdMethod::PreSpecified(ca_ski.clone()),
+				ca.key_identifier_method.as_ref()
 			);
 
-			let ca_kp = KeyPair::from_pem(ca_key).unwrap();
-			let ca_cert = params.self_signed(&ca_kp).unwrap();
-			assert_eq!(ca_ski, params.key_identifier(&ca_kp));
-
-			let (_, x509_ca) = x509_parser::parse_x509_certificate(ca_cert.der()).unwrap();
+			let ca_cert_der = CertificateDer::from_pem_slice(ca_cert.as_bytes()).unwrap();
+			let (_, x509_ca) = x509_parser::parse_x509_certificate(ca_cert_der.as_ref()).unwrap();
 			assert_eq!(
 				&ca_ski,
 				&x509_ca
@@ -1409,13 +1410,12 @@ PITGdT9dgN88nHPCle0B1+OY+OZ5
 					.unwrap()
 			);
 
-			let issuer = Issuer::new(params, ca_kp);
 			let ee_key = KeyPair::generate().unwrap();
 			let ee_params = CertificateParams {
 				use_authority_key_identifier_extension: true,
 				..CertificateParams::default()
 			};
-			let ee_cert = ee_params.signed_by(&ee_key, &issuer).unwrap();
+			let ee_cert = ee_params.signed_by(&ee_key, &ca).unwrap();
 
 			let (_, x509_ee) = x509_parser::parse_x509_certificate(ee_cert.der()).unwrap();
 			assert_eq!(
diff --git a/rcgen/src/lib.rs b/rcgen/src/lib.rs
@@ -41,6 +41,8 @@ use std::net::IpAddr;
 use std::net::{Ipv4Addr, Ipv6Addr};
 use std::ops::Deref;
 
+#[cfg(feature = "x509-parser")]
+use pki_types::CertificateDer;
 use time::{OffsetDateTime, Time};
 use yasna::models::ObjectIdentifier;
 use yasna::models::{GeneralizedTime, UTCTime};
@@ -165,6 +167,43 @@ impl<'a, S: SigningKey> Issuer<'a, S> {
 		}
 	}
 
+	/// Parses an existing CA certificate from the ASCII PEM format.
+	///
+	/// See [`from_ca_cert_der`](Self::from_ca_cert_der) for more details.
+	#[cfg(all(feature = "pem", feature = "x509-parser"))]
+	pub fn from_ca_cert_pem(pem_str: &str, signing_key: S) -> Result<Self, Error> {
+		let certificate = pem::parse(pem_str).map_err(|_| Error::CouldNotParseCertificate)?;
+		Self::from_ca_cert_der(&certificate.contents().into(), signing_key)
+	}
+
+	/// Parses an existing CA certificate from the DER format.
+	///
+	/// This function assumes the provided certificate is a CA. It will not check
+	/// for the presence of the `BasicConstraints` extension, or perform any other
+	/// validation.
+	///
+	/// If you already have a byte slice containing DER, it can trivially be converted into
+	/// [`CertificateDer`] using the [`Into`] trait.
+	#[cfg(feature = "x509-parser")]
+	pub fn from_ca_cert_der(ca_cert: &CertificateDer<'_>, signing_key: S) -> Result<Self, Error> {
+		let (_remainder, x509) = x509_parser::parse_x509_certificate(ca_cert)
+			.map_err(|_| Error::CouldNotParseCertificate)?;
+
+		Ok(Self {
+			key_usages: Cow::Owned(KeyUsagePurpose::from_x509(&x509)?),
+			key_identifier_method: Cow::Owned(KeyIdMethod::from_x509(&x509)?),
+			distinguished_name: Cow::Owned(DistinguishedName::from_name(
+				&x509.tbs_certificate.subject,
+			)?),
+			signing_key: MaybeOwned::Owned(signing_key),
+		})
+	}
+
+	/// Allowed key usages for this issuer.
+	pub fn key_usages(&self) -> &[KeyUsagePurpose] {
+		&self.key_usages
+	}
+
 	/// Yield a reference to the signing key.
 	pub fn key(&self) -> &S {
 		&self.signing_key
diff --git a/rcgen/tests/botan.rs b/rcgen/tests/botan.rs
@@ -154,10 +154,8 @@ fn test_botan_imported_ca() {
 	let (mut params, ca_key) = default_params();
 	params.is_ca = IsCa::Ca(BasicConstraints::Unconstrained);
 	let ca_cert = params.self_signed(&ca_key).unwrap();
-
 	let ca_cert_der = ca_cert.der();
-
-	let imported_ca_cert_params = CertificateParams::from_ca_cert_der(ca_cert_der).unwrap();
+	let ca = Issuer::from_ca_cert_der(ca_cert.der(), ca_key).unwrap();
 
 	let mut params = CertificateParams::new(vec!["crabs.crabs".to_string()]).unwrap();
 	params
@@ -170,7 +168,6 @@ fn test_botan_imported_ca() {
 	params.not_after = rcgen::date_time_ymd(3016, 1, 1);
 
 	let key_pair = KeyPair::generate().unwrap();
-	let ca = Issuer::new(imported_ca_cert_params, ca_key);
 	let cert = params.signed_by(&key_pair, &ca).unwrap();
 	check_cert_ca(cert.der(), &cert, ca_cert_der);
 }
@@ -185,10 +182,7 @@ fn test_botan_imported_ca_with_printable_string() {
 	);
 	params.is_ca = IsCa::Ca(BasicConstraints::Unconstrained);
 	let ca_cert = params.self_signed(&imported_ca_key).unwrap();
-
-	let ca_cert_der = ca_cert.der();
-
-	let imported_ca_cert_params = CertificateParams::from_ca_cert_der(ca_cert_der).unwrap();
+	let ca = Issuer::from_ca_cert_der(ca_cert.der(), imported_ca_key).unwrap();
 
 	let mut params = CertificateParams::new(vec!["crabs.crabs".to_string()]).unwrap();
 	params
@@ -200,10 +194,9 @@ fn test_botan_imported_ca_with_printable_string() {
 	// Botan has a sanity check that enforces a maximum expiration date
 	params.not_after = rcgen::date_time_ymd(3016, 1, 1);
 	let key_pair = KeyPair::generate().unwrap();
-	let ca = Issuer::new(imported_ca_cert_params, imported_ca_key);
 	let cert = params.signed_by(&key_pair, &ca).unwrap();
 
-	check_cert_ca(cert.der(), &cert, ca_cert_der);
+	check_cert_ca(cert.der(), &cert, ca_cert.der());
 }
 
 #[test]
diff --git a/rcgen/tests/webpki.rs b/rcgen/tests/webpki.rs
@@ -420,13 +420,8 @@ fn test_webpki_imported_ca() {
 	params.key_usages.push(KeyUsagePurpose::KeyCertSign);
 	let ca_cert = params.self_signed(&ca_key).unwrap();
 
-	let ca_cert_der = ca_cert.der();
-
-	let imported_ca_cert_params = CertificateParams::from_ca_cert_der(ca_cert_der).unwrap();
-	assert_eq!(
-		imported_ca_cert_params.key_usages,
-		vec![KeyUsagePurpose::KeyCertSign]
-	);
+	let ca = Issuer::from_ca_cert_der(ca_cert.der(), ca_key).unwrap();
+	assert_eq!(ca.key_usages(), &[KeyUsagePurpose::KeyCertSign]);
 
 	let mut params = CertificateParams::new(vec!["crabs.crabs".to_string()]).unwrap();
 	params
@@ -436,14 +431,13 @@ fn test_webpki_imported_ca() {
 		.distinguished_name
 		.push(DnType::CommonName, "Dev domain");
 	let cert_key = KeyPair::generate().unwrap();
-	let ca = Issuer::new(imported_ca_cert_params, ca_key);
 	let cert = params.signed_by(&cert_key, &ca).unwrap();
 
 	let sign_fn = |cert, msg| sign_msg_ecdsa(cert, msg, &signature::ECDSA_P256_SHA256_ASN1_SIGNING);
 	check_cert_ca(
 		cert.der(),
 		&cert_key,
-		ca_cert_der,
+		ca_cert.der(),
 		webpki::ring::ECDSA_P256_SHA256,
 		webpki::ring::ECDSA_P256_SHA256,
 		sign_fn,
@@ -460,9 +454,7 @@ fn test_webpki_imported_ca_with_printable_string() {
 	);
 	params.is_ca = IsCa::Ca(BasicConstraints::Unconstrained);
 	let ca_cert = params.self_signed(&ca_key).unwrap();
-
-	let ca_cert_der = ca_cert.der();
-	let imported_ca_cert_params = CertificateParams::from_ca_cert_der(ca_cert_der).unwrap();
+	let ca = Issuer::from_ca_cert_der(ca_cert.der(), ca_key).unwrap();
 
 	let mut params = CertificateParams::new(vec!["crabs.crabs".to_string()]).unwrap();
 	params
@@ -472,14 +464,13 @@ fn test_webpki_imported_ca_with_printable_string() {
 		.distinguished_name
 		.push(DnType::CommonName, "Dev domain");
 	let cert_key = KeyPair::generate().unwrap();
-	let ca = Issuer::new(imported_ca_cert_params, ca_key);
 	let cert = params.signed_by(&cert_key, &ca).unwrap();
 
 	let sign_fn = |cert, msg| sign_msg_ecdsa(cert, msg, &signature::ECDSA_P256_SHA256_ASN1_SIGNING);
 	check_cert_ca(
 		cert.der(),
 		&cert_key,
-		ca_cert_der,
+		ca_cert.der(),
 		webpki::ring::ECDSA_P256_SHA256,
 		webpki::ring::ECDSA_P256_SHA256,
 		sign_fn,
