Unbundle params from output types

Author: djc

rcgen/examples/sign-leaf-with-ca.rs

@@ -6,8 +6,8 @@ use time::{Duration, OffsetDateTime};
 
 /// Example demonstrating signing end-entity certificate with ca
 fn main() {
-	let (ca, ca_key) = new_ca();
-	let end_entity = new_end_entity(&ca, &ca_key);
+	let (ca_params, ca, ca_key) = new_ca();
+	let end_entity = new_end_entity(&ca_params, &ca_key);
 
 	let end_entity_pem = end_entity.pem();
 	println!("directly signed end-entity certificate: {end_entity_pem}");
@@ -16,7 +16,7 @@ fn main() {
 	println!("ca certificate: {ca_cert_pem}");
 }
 
-fn new_ca() -> (Certificate, KeyPair) {
+fn new_ca() -> (CertificateParams, Certificate, KeyPair) {
 	let mut params =
 		CertificateParams::new(Vec::default()).expect("empty subject alt name can't produce error");
 	let (yesterday, tomorrow) = validity_period();
@@ -36,10 +36,11 @@ fn new_ca() -> (Certificate, KeyPair) {
 	params.not_after = tomorrow;
 
 	let key_pair = KeyPair::generate().unwrap();
-	(params.self_signed(&key_pair).unwrap(), key_pair)
+	let cert = params.self_signed(&key_pair).unwrap();
+	(params, cert, key_pair)
 }
 
-fn new_end_entity(ca: &Certificate, ca_key: &KeyPair) -> Certificate {
+fn new_end_entity(ca: &CertificateParams, ca_key: &KeyPair) -> Certificate {
 	let name = "entity.other.host";
 	let mut params = CertificateParams::new(vec![name.into()]).expect("we know the name is valid");
 	let (yesterday, tomorrow) = validity_period();

rcgen/src/certificate.rs

@@ -24,30 +24,18 @@ use crate::{
 /// An issued certificate together with the parameters used to generate it.
 #[derive(Debug, Clone)]
 pub struct Certificate {
-	pub(crate) params: CertificateParams,
-	pub(crate) subject_public_key_info: Vec<u8>,
 	pub(crate) der: CertificateDer<'static>,
 }
 
 impl Certificate {
-	/// Returns the certificate parameters
-	pub fn params(&self) -> &CertificateParams {
-		&self.params
-	}
-	/// Calculates a subject key identifier for the certificate subject's public key.
-	/// This key identifier is used in the SubjectKeyIdentifier X.509v3 extension.
-	pub fn key_identifier(&self) -> Vec<u8> {
-		self.params
-			.key_identifier_method
-			.derive(&self.subject_public_key_info)
-	}
 	/// Get the certificate in DER encoded format.
 	///
 	/// [`CertificateDer`] implements `Deref<Target = [u8]>` and `AsRef<[u8]>`, so you can easily
 	/// extract the DER bytes from the return value.
 	pub fn der(&self) -> &CertificateDer<'static> {
 		&self.der
 	}
+
 	/// Get the certificate in PEM encoded format.
 	#[cfg(feature = "pem")]
 	pub fn pem(&self) -> String {
@@ -61,12 +49,6 @@ impl From<Certificate> for CertificateDer<'static> {
 	}
 }
 
-impl AsRef<CertificateParams> for Certificate {
-	fn as_ref(&self) -> &CertificateParams {
-		&self.params
-	}
-}
-
 /// Parameters used for certificate generation
 #[allow(missing_docs)]
 #[non_exhaustive]
@@ -156,45 +138,36 @@ impl CertificateParams {
 	/// The returned [`Certificate`] may be serialized using [`Certificate::der`] and
 	/// [`Certificate::pem`].
 	pub fn signed_by(
-		self,
+		&self,
 		public_key: &impl PublicKeyData,
-		issuer: &Certificate,
+		issuer: &CertificateParams,
 		issuer_key: &impl SigningKey,
 	) -> Result<Certificate, Error> {
 		let issuer = Issuer {
-			distinguished_name: &issuer.params.distinguished_name,
-			key_identifier_method: &issuer.params.key_identifier_method,
-			key_usages: &issuer.params.key_usages,
+			distinguished_name: &issuer.distinguished_name,
+			key_identifier_method: &issuer.key_identifier_method,
+			key_usages: &issuer.key_usages,
 			key_pair: issuer_key,
 		};
 
 		let der = self.serialize_der_with_signer(public_key, issuer)?;
-		Ok(Certificate {
-			params: self,
-			subject_public_key_info: public_key.subject_public_key_info(),
-			der,
-		})
+		Ok(Certificate { der })
 	}
 
 	/// Generates a new self-signed certificate from the given parameters.
 	///
 	/// The returned [`Certificate`] may be serialized using [`Certificate::der`] and
 	/// [`Certificate::pem`].
-	pub fn self_signed(self, key_pair: &impl SigningKey) -> Result<Certificate, Error> {
+	pub fn self_signed(&self, key_pair: &impl SigningKey) -> Result<Certificate, Error> {
 		let issuer = Issuer {
 			distinguished_name: &self.distinguished_name,
 			key_identifier_method: &self.key_identifier_method,
 			key_usages: &self.key_usages,
 			key_pair,
 		};
 
-		let subject_public_key_info = key_pair.subject_public_key_info();
 		let der = self.serialize_der_with_signer(key_pair, issuer)?;
-		Ok(Certificate {
-			params: self,
-			subject_public_key_info,
-			der,
-		})
+		Ok(Certificate { der })
 	}
 
 	/// Parses an existing ca certificate from the ASCII PEM format.
@@ -1492,7 +1465,6 @@ PITGdT9dgN88nHPCle0B1+OY+OZ5
 
 			let ca_kp = KeyPair::from_pem(ca_key).unwrap();
 			let ca_cert = params.self_signed(&ca_kp).unwrap();
-			assert_eq!(&ca_ski, &ca_cert.key_identifier());
 
 			let (_, x509_ca) = x509_parser::parse_x509_certificate(ca_cert.der()).unwrap();
 			assert_eq!(
@@ -1511,7 +1483,7 @@ PITGdT9dgN88nHPCle0B1+OY+OZ5
 			let ee_key = KeyPair::generate().unwrap();
 			let mut ee_params = CertificateParams::default();
 			ee_params.use_authority_key_identifier_extension = true;
-			let ee_cert = ee_params.signed_by(&ee_key, &ca_cert, &ee_key).unwrap();
+			let ee_cert = ee_params.signed_by(&ee_key, &params, &ee_key).unwrap();
 
 			let (_, x509_ee) = x509_parser::parse_x509_certificate(ee_cert.der()).unwrap();
 			assert_eq!(

rcgen/src/crl.rs

@@ -10,8 +10,8 @@ use crate::key_pair::sign_der;
 use crate::ENCODE_CONFIG;
 use crate::{
 	oid, write_distinguished_name, write_dt_utc_or_generalized,
-	write_x509_authority_key_identifier, write_x509_extension, Certificate, Error, Issuer,
-	KeyIdMethod, KeyUsagePurpose, SerialNumber, SigningKey,
+	write_x509_authority_key_identifier, write_x509_extension, CertificateParams, Error, Issuer,
+	KeyIdMethod, KeyPair, KeyUsagePurpose, SerialNumber, SigningKey,
 };
 
 /// A certificate revocation list (CRL)
@@ -61,20 +61,14 @@ use crate::{
 ///   key_identifier_method: KeyIdMethod::Sha256,
 ///   #[cfg(not(feature = "crypto"))]
 ///   key_identifier_method: KeyIdMethod::PreSpecified(vec![]),
-/// }.signed_by(&issuer, &key_pair).unwrap();
+/// }.signed_by(&issuer_params, &key_pair).unwrap();
 ///# }
 #[derive(Debug)]
 pub struct CertificateRevocationList {
-	params: CertificateRevocationListParams,
 	der: CertificateRevocationListDer<'static>,
 }
 
 impl CertificateRevocationList {
-	/// Returns the certificate revocation list (CRL) parameters.
-	pub fn params(&self) -> &CertificateRevocationListParams {
-		&self.params
-	}
-
 	/// Get the CRL in PEM encoded format.
 	#[cfg(feature = "pem")]
 	pub fn pem(&self) -> Result<String, Error> {
@@ -190,18 +184,18 @@ impl CertificateRevocationListParams {
 	///
 	/// Including a signature from the issuing certificate authority's key.
 	pub fn signed_by(
-		self,
-		issuer: &Certificate,
-		issuer_key: &impl SigningKey,
+		&self,
+		issuer: &CertificateParams,
+		issuer_key: &KeyPair,
 	) -> Result<CertificateRevocationList, Error> {
 		if self.next_update.le(&self.this_update) {
 			return Err(Error::InvalidCrlNextUpdate);
 		}
 
 		let issuer = Issuer {
-			distinguished_name: &issuer.params.distinguished_name,
-			key_identifier_method: &issuer.params.key_identifier_method,
-			key_usages: &issuer.params.key_usages,
+			distinguished_name: &issuer.distinguished_name,
+			key_identifier_method: &issuer.key_identifier_method,
+			key_usages: &issuer.key_usages,
 			key_pair: issuer_key,
 		};
 
@@ -211,7 +205,6 @@ impl CertificateRevocationListParams {
 
 		Ok(CertificateRevocationList {
 			der: self.serialize_der(&issuer)?.into(),
-			params: self,
 		})
 	}
 

rcgen/src/csr.rs

@@ -201,25 +201,20 @@ impl CertificateSigningRequestParams {
 	/// The returned [`Certificate`] may be serialized using [`Certificate::der`] and
 	/// [`Certificate::pem`].
 	pub fn signed_by(
-		self,
-		issuer: &Certificate,
+		&self,
+		issuer: &CertificateParams,
 		issuer_key: &impl SigningKey,
 	) -> Result<Certificate, Error> {
 		let issuer = Issuer {
-			distinguished_name: &issuer.params.distinguished_name,
-			key_identifier_method: &issuer.params.key_identifier_method,
-			key_usages: &issuer.params.key_usages,
+			distinguished_name: &issuer.distinguished_name,
+			key_identifier_method: &issuer.key_identifier_method,
+			key_usages: &issuer.key_usages,
 			key_pair: issuer_key,
 		};
 
 		let der = self
 			.params
 			.serialize_der_with_signer(&self.public_key, issuer)?;
-
-		Ok(Certificate {
-			params: self.params,
-			subject_public_key_info: self.public_key.subject_public_key_info(),
-			der,
-		})
+		Ok(Certificate { der })
 	}
 }

rcgen/tests/botan.rs

@@ -128,9 +128,9 @@ fn test_botan_rsa_given() {
 
 #[test]
 fn test_botan_separate_ca() {
-	let (mut params, ca_key) = default_params();
-	params.is_ca = IsCa::Ca(BasicConstraints::Unconstrained);
-	let ca_cert = params.self_signed(&ca_key).unwrap();
+	let (mut ca_params, ca_key) = default_params();
+	ca_params.is_ca = IsCa::Ca(BasicConstraints::Unconstrained);
+	let ca_cert = ca_params.self_signed(&ca_key).unwrap();
 
 	let mut params = CertificateParams::new(vec!["crabs.crabs".to_string()]).unwrap();
 	params
@@ -143,7 +143,7 @@ fn test_botan_separate_ca() {
 	params.not_after = rcgen::date_time_ymd(3016, 1, 1);
 
 	let key_pair = KeyPair::generate().unwrap();
-	let cert = params.signed_by(&key_pair, &ca_cert, &ca_key).unwrap();
+	let cert = params.signed_by(&key_pair, &ca_params, &ca_key).unwrap();
 	check_cert_ca(cert.der(), &cert, ca_cert.der());
 }
 
@@ -157,7 +157,6 @@ fn test_botan_imported_ca() {
 	let ca_cert_der = ca_cert.der();
 
 	let imported_ca_cert_params = CertificateParams::from_ca_cert_der(ca_cert_der).unwrap();
-	let imported_ca_cert = imported_ca_cert_params.self_signed(&ca_key).unwrap();
 
 	let mut params = CertificateParams::new(vec!["crabs.crabs".to_string()]).unwrap();
 	params
@@ -171,7 +170,7 @@ fn test_botan_imported_ca() {
 
 	let key_pair = KeyPair::generate().unwrap();
 	let cert = params
-		.signed_by(&key_pair, &imported_ca_cert, &ca_key)
+		.signed_by(&key_pair, &imported_ca_cert_params, &ca_key)
 		.unwrap();
 	check_cert_ca(cert.der(), &cert, ca_cert_der);
 }
@@ -190,9 +189,6 @@ fn test_botan_imported_ca_with_printable_string() {
 	let ca_cert_der = ca_cert.der();
 
 	let imported_ca_cert_params = CertificateParams::from_ca_cert_der(ca_cert_der).unwrap();
-	let imported_ca_cert = imported_ca_cert_params
-		.self_signed(&imported_ca_key)
-		.unwrap();
 
 	let mut params = CertificateParams::new(vec!["crabs.crabs".to_string()]).unwrap();
 	params
@@ -205,7 +201,7 @@ fn test_botan_imported_ca_with_printable_string() {
 	params.not_after = rcgen::date_time_ymd(3016, 1, 1);
 	let key_pair = KeyPair::generate().unwrap();
 	let cert = params
-		.signed_by(&key_pair, &imported_ca_cert, &imported_ca_key)
+		.signed_by(&key_pair, &imported_ca_cert_params, &imported_ca_key)
 		.unwrap();
 
 	check_cert_ca(cert.der(), &cert, ca_cert_der);
@@ -223,7 +219,6 @@ fn test_botan_crl_parse() {
 		KeyUsagePurpose::CrlSign,
 	];
 	let issuer_key = KeyPair::generate_for(alg).unwrap();
-	let issuer = issuer.self_signed(&issuer_key).unwrap();
 
 	// Create an end entity cert issued by the issuer.
 	let (mut ee, _) = util::default_params();
@@ -232,8 +227,8 @@ fn test_botan_crl_parse() {
 	// Botan has a sanity check that enforces a maximum expiration date
 	ee.not_after = rcgen::date_time_ymd(3016, 1, 1);
 	let ee_key = KeyPair::generate_for(alg).unwrap();
-	let ee = ee.signed_by(&ee_key, &issuer, &issuer_key).unwrap();
-	let botan_ee = botan::Certificate::load(ee.der()).unwrap();
+	let ee_cert = ee.signed_by(&ee_key, &issuer, &issuer_key).unwrap();
+	let botan_ee = botan::Certificate::load(ee_cert.der()).unwrap();
 
 	// Generate a CRL with the issuer that revokes the EE cert.
 	let now = OffsetDateTime::now_utc();
@@ -243,7 +238,7 @@ fn test_botan_crl_parse() {
 		crl_number: rcgen::SerialNumber::from(1234),
 		issuing_distribution_point: None,
 		revoked_certs: vec![RevokedCertParams {
-			serial_number: ee.params().serial_number.clone().unwrap(),
+			serial_number: ee.serial_number.clone().unwrap(),
 			revocation_time: now,
 			reason_code: Some(RevocationReason::KeyCompromise),
 			invalidity_date: None,

rcgen/tests/generic.rs

@@ -107,7 +107,7 @@ mod test_x509_custom_ext {
 		assert_eq!(favorite_drink_ext.value, test_ext);
 
 		// Generate a CSR with the custom extension, parse it with x509-parser.
-		let test_cert_csr = test_cert.params().serialize_request(&test_key).unwrap();
+		let test_cert_csr = params.serialize_request(&test_key).unwrap();
 		let (_, x509_csr) = X509CertificationRequest::from_der(test_cert_csr.der()).unwrap();
 
 		// We should find that the CSR contains requested extensions.
@@ -204,8 +204,8 @@ mod test_x509_parser_crl {
 	#[test]
 	fn parse_crl() {
 		// Create a CRL with one revoked cert, and an issuer to sign the CRL.
-		let (crl, issuer) = util::test_crl();
-		let revoked_cert = crl.params().revoked_certs.first().unwrap();
+		let (crl_params, crl, issuer) = util::test_crl();
+		let revoked_cert = crl_params.revoked_certs.first().unwrap();
 		let revoked_cert_serial = BigUint::from_bytes_be(revoked_cert.serial_number.as_ref());
 		let (_, x509_issuer) = X509Certificate::from_der(issuer.der()).unwrap();
 
@@ -218,17 +218,17 @@ mod test_x509_parser_crl {
 		assert_eq!(x509_crl.issuer(), x509_issuer.subject());
 		assert_eq!(
 			x509_crl.last_update().to_datetime().unix_timestamp(),
-			crl.params().this_update.unix_timestamp()
+			crl_params.this_update.unix_timestamp()
 		);
 		assert_eq!(
 			x509_crl
 				.next_update()
 				.unwrap()
 				.to_datetime()
 				.unix_timestamp(),
-			crl.params().next_update.unix_timestamp()
+			crl_params.next_update.unix_timestamp()
 		);
-		let crl_number = BigUint::from_bytes_be(crl.params().crl_number.as_ref());
+		let crl_number = BigUint::from_bytes_be(crl_params.crl_number.as_ref());
 		assert_eq!(x509_crl.crl_number().unwrap(), &crl_number);
 
 		// We should find the expected revoked certificate serial with the correct reason code.