diff --git a/src/cert.rs b/src/cert.rs index 8f8c6732..7c76f2e1 100644 --- a/src/cert.rs +++ b/src/cert.rs @@ -14,13 +14,13 @@ use crate::{der, signed_data, Error}; -pub enum EndEntityOrCA<'a> { +pub enum EndEntityOrCa<'a> { EndEntity, - CA(&'a Cert<'a>), + Ca(&'a Cert<'a>), } pub struct Cert<'a> { - pub ee_or_ca: EndEntityOrCA<'a>, + pub ee_or_ca: EndEntityOrCa<'a>, pub signed_data: signed_data::SignedData<'a>, pub issuer: untrusted::Input<'a>, @@ -36,7 +36,7 @@ pub struct Cert<'a> { pub fn parse_cert<'a>( cert_der: untrusted::Input<'a>, - ee_or_ca: EndEntityOrCA<'a>, + ee_or_ca: EndEntityOrCa<'a>, ) -> Result, Error> { parse_cert_internal(cert_der, ee_or_ca, certificate_serial_number) } @@ -46,7 +46,7 @@ pub fn parse_cert<'a>( /// certificates. pub(crate) fn parse_cert_internal<'a>( cert_der: untrusted::Input<'a>, - ee_or_ca: EndEntityOrCA<'a>, + ee_or_ca: EndEntityOrCa<'a>, serial_number: fn(input: &mut untrusted::Reader<'_>) -> Result<(), Error>, ) -> Result, Error> { let (tbs, signed_data) = cert_der.read_all(Error::BadDer, |cert_der| { diff --git a/src/end_entity.rs b/src/end_entity.rs index 93415738..8c0650a9 100644 --- a/src/end_entity.rs +++ b/src/end_entity.rs @@ -68,7 +68,7 @@ impl<'a> core::convert::TryFrom<&'a [u8]> for EndEntityCert<'a> { Ok(Self { inner: cert::parse_cert( untrusted::Input::from(cert_der), - cert::EndEntityOrCA::EndEntity, + cert::EndEntityOrCa::EndEntity, )?, }) } diff --git a/src/name/dns_name.rs b/src/name/dns_name.rs index 77da7cf6..e40e703f 100644 --- a/src/name/dns_name.rs +++ b/src/name/dns_name.rs @@ -153,7 +153,7 @@ pub(super) fn presented_id_matches_reference_id( ) -> Option { presented_id_matches_reference_id_internal( presented_dns_id, - IDRole::ReferenceID, + IdRole::Reference, reference_dns_id, ) } @@ -164,7 +164,7 @@ pub(super) fn presented_id_matches_constraint( ) -> Option { presented_id_matches_reference_id_internal( presented_dns_id, - IDRole::NameConstraint, + IdRole::NameConstraint, reference_dns_id, ) } @@ -291,10 +291,10 @@ pub(super) fn presented_id_matches_constraint( // https://www.ietf.org/mail-archive/web/pkix/current/msg21192.html fn presented_id_matches_reference_id_internal( presented_dns_id: untrusted::Input, - reference_dns_id_role: IDRole, + reference_dns_id_role: IdRole, reference_dns_id: untrusted::Input, ) -> Option { - if !is_valid_dns_id(presented_dns_id, IDRole::PresentedID, AllowWildcards::Yes) { + if !is_valid_dns_id(presented_dns_id, IdRole::Presented, AllowWildcards::Yes) { return None; } @@ -306,9 +306,9 @@ fn presented_id_matches_reference_id_internal( let mut reference = untrusted::Reader::new(reference_dns_id); match reference_dns_id_role { - IDRole::ReferenceID => (), + IdRole::Reference => (), - IDRole::NameConstraint if presented_dns_id.len() > reference_dns_id.len() => { + IdRole::NameConstraint if presented_dns_id.len() > reference_dns_id.len() => { if reference_dns_id.is_empty() { // An empty constraint matches everything. return Some(true); @@ -357,9 +357,9 @@ fn presented_id_matches_reference_id_internal( } } - IDRole::NameConstraint => (), + IdRole::NameConstraint => (), - IDRole::PresentedID => unreachable!(), + IdRole::Presented => unreachable!(), } // Only allow wildcard labels that consist only of '*'. @@ -398,7 +398,7 @@ fn presented_id_matches_reference_id_internal( // Allow a relative presented DNS ID to match an absolute reference DNS ID, // unless we're matching a name constraint. if !reference.at_end() { - if reference_dns_id_role != IDRole::NameConstraint { + if reference_dns_id_role != IdRole::NameConstraint { match reference.read_byte() { Ok(b'.') => (), _ => { @@ -432,14 +432,14 @@ enum AllowWildcards { } #[derive(Clone, Copy, PartialEq)] -enum IDRole { - ReferenceID, - PresentedID, +enum IdRole { + Reference, + Presented, NameConstraint, } fn is_valid_reference_dns_id(hostname: untrusted::Input) -> bool { - is_valid_dns_id(hostname, IDRole::ReferenceID, AllowWildcards::No) + is_valid_dns_id(hostname, IdRole::Reference, AllowWildcards::No) } // https://tools.ietf.org/html/rfc5280#section-4.2.1.6: @@ -454,7 +454,7 @@ fn is_valid_reference_dns_id(hostname: untrusted::Input) -> bool { // requirement above, underscores are also allowed in names for compatibility. fn is_valid_dns_id( hostname: untrusted::Input, - id_role: IDRole, + id_role: IdRole, allow_wildcards: AllowWildcards, ) -> bool { // https://blogs.msdn.microsoft.com/oldnewthing/20120412-00/?p=7873/ @@ -464,7 +464,7 @@ fn is_valid_dns_id( let mut input = untrusted::Reader::new(hostname); - if id_role == IDRole::NameConstraint && input.at_end() { + if id_role == IdRole::NameConstraint && input.at_end() { return true; } @@ -523,7 +523,7 @@ fn is_valid_dns_id( Ok(b'.') => { dot_count += 1; - if label_length == 0 && (id_role != IDRole::NameConstraint || !is_first_byte) { + if label_length == 0 && (id_role != IdRole::NameConstraint || !is_first_byte) { return false; } if label_ends_with_hyphen { @@ -545,7 +545,7 @@ fn is_valid_dns_id( // Only reference IDs, not presented IDs or name constraints, may be // absolute. - if label_length == 0 && id_role != IDRole::ReferenceID { + if label_length == 0 && id_role != IdRole::Reference { return false; } diff --git a/src/name/verify.rs b/src/name/verify.rs index a59d8899..6082c19e 100644 --- a/src/name/verify.rs +++ b/src/name/verify.rs @@ -17,7 +17,7 @@ use super::{ ip_address, }; use crate::{ - cert::{Cert, EndEntityOrCA}, + cert::{Cert, EndEntityOrCa}, der, Error, }; @@ -86,8 +86,8 @@ pub fn check_name_constraints( })?; child = match child.ee_or_ca { - EndEntityOrCA::CA(child_cert) => child_cert, - EndEntityOrCA::EndEntity => { + EndEntityOrCa::Ca(child_cert) => child_cert, + EndEntityOrCa::EndEntity => { break; } }; @@ -171,7 +171,7 @@ fn check_presented_id_conforms_to_constraints_in_subtree( presented_directory_name_matches_constraint(name, base, subtrees), ), - (GeneralName::IPAddress(name), GeneralName::IPAddress(base)) => { + (GeneralName::IpAddress(name), GeneralName::IpAddress(base)) => { ip_address::presented_id_matches_constraint(name, base) } @@ -288,7 +288,7 @@ fn iterate_names( enum GeneralName<'a> { DnsName(untrusted::Input<'a>), DirectoryName(untrusted::Input<'a>), - IPAddress(untrusted::Input<'a>), + IpAddress(untrusted::Input<'a>), // The value is the `tag & ~(der::CONTEXT_SPECIFIC | der::CONSTRUCTED)` so // that the name constraint checking matches tags regardless of whether @@ -313,7 +313,7 @@ fn general_name<'a>(input: &mut untrusted::Reader<'a>) -> Result let name = match tag { DNS_NAME_TAG => GeneralName::DnsName(value), DIRECTORY_NAME_TAG => GeneralName::DirectoryName(value), - IP_ADDRESS_TAG => GeneralName::IPAddress(value), + IP_ADDRESS_TAG => GeneralName::IpAddress(value), OTHER_NAME_TAG | RFC822_NAME_TAG diff --git a/src/trust_anchor.rs b/src/trust_anchor.rs index c5ca9bba..0ac2806e 100644 --- a/src/trust_anchor.rs +++ b/src/trust_anchor.rs @@ -1,6 +1,6 @@ use crate::cert::{certificate_serial_number, Cert}; use crate::{ - cert::{parse_cert_internal, EndEntityOrCA}, + cert::{parse_cert_internal, EndEntityOrCa}, der, Error, }; @@ -53,7 +53,7 @@ impl<'a> TrustAnchor<'a> { // embedded name constraints in a v1 certificate. match parse_cert_internal( cert_der, - EndEntityOrCA::EndEntity, + EndEntityOrCa::EndEntity, possibly_invalid_certificate_serial_number, ) { Ok(cert) => Ok(Self::from(cert)), diff --git a/src/verify_cert.rs b/src/verify_cert.rs index cb89bc47..c68e6cf2 100644 --- a/src/verify_cert.rs +++ b/src/verify_cert.rs @@ -13,7 +13,7 @@ // OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. use crate::{ - cert::{self, Cert, EndEntityOrCA}, + cert::{self, Cert, EndEntityOrCa}, der, name, signed_data, time, Error, SignatureAlgorithm, TrustAnchor, }; @@ -39,14 +39,14 @@ pub fn build_chain( // TODO: HPKP checks. match used_as_ca { - UsedAsCA::Yes => { + UsedAsCa::Yes => { const MAX_SUB_CA_COUNT: usize = 6; if sub_ca_count >= MAX_SUB_CA_COUNT { return Err(Error::UnknownIssuer); } } - UsedAsCA::No => { + UsedAsCa::No => { assert_eq!(0, sub_ca_count); } } @@ -83,7 +83,7 @@ pub fn build_chain( loop_while_non_fatal_error(intermediate_certs, |cert_der| { let potential_issuer = - cert::parse_cert(untrusted::Input::from(*cert_der), EndEntityOrCA::CA(&cert))?; + cert::parse_cert(untrusted::Input::from(*cert_der), EndEntityOrCa::Ca(&cert))?; if potential_issuer.subject != cert.issuer { return Err(Error::UnknownIssuer); @@ -98,10 +98,10 @@ pub fn build_chain( return Err(Error::UnknownIssuer); } match &prev.ee_or_ca { - EndEntityOrCA::EndEntity => { + EndEntityOrCa::EndEntity => { break; } - EndEntityOrCA::CA(child_cert) => { + EndEntityOrCa::Ca(child_cert) => { prev = child_cert; } } @@ -112,8 +112,8 @@ pub fn build_chain( })?; let next_sub_ca_count = match used_as_ca { - UsedAsCA::No => sub_ca_count, - UsedAsCA::Yes => sub_ca_count + 1, + UsedAsCa::No => sub_ca_count, + UsedAsCa::Yes => sub_ca_count + 1, }; build_chain( @@ -141,11 +141,11 @@ fn check_signatures( // TODO: check revocation match &cert.ee_or_ca { - EndEntityOrCA::CA(child_cert) => { + EndEntityOrCa::Ca(child_cert) => { spki_value = cert.spki.value(); cert = child_cert; } - EndEntityOrCA::EndEntity => { + EndEntityOrCa::EndEntity => { break; } } @@ -157,7 +157,7 @@ fn check_signatures( fn check_issuer_independent_properties( cert: &Cert, time: time::Time, - used_as_ca: UsedAsCA, + used_as_ca: UsedAsCa, sub_ca_count: usize, required_eku_if_present: KeyPurposeId, ) -> Result<(), Error> { @@ -204,22 +204,22 @@ fn check_validity(input: &mut untrusted::Reader, time: time::Time) -> Result<(), } #[derive(Clone, Copy)] -enum UsedAsCA { +enum UsedAsCa { Yes, No, } -fn used_as_ca(ee_or_ca: &EndEntityOrCA) -> UsedAsCA { +fn used_as_ca(ee_or_ca: &EndEntityOrCa) -> UsedAsCa { match ee_or_ca { - EndEntityOrCA::EndEntity => UsedAsCA::No, - EndEntityOrCA::CA(..) => UsedAsCA::Yes, + EndEntityOrCa::EndEntity => UsedAsCa::No, + EndEntityOrCa::Ca(..) => UsedAsCa::Yes, } } // https://tools.ietf.org/html/rfc5280#section-4.2.1.9 fn check_basic_constraints( input: Option<&mut untrusted::Reader>, - used_as_ca: UsedAsCA, + used_as_ca: UsedAsCa, sub_ca_count: usize, ) -> Result<(), Error> { let (is_ca, path_len_constraint) = match input { @@ -243,9 +243,9 @@ fn check_basic_constraints( }; match (used_as_ca, is_ca, path_len_constraint) { - (UsedAsCA::No, true, _) => Err(Error::CaUsedAsEndEntity), - (UsedAsCA::Yes, false, _) => Err(Error::EndEntityUsedAsCa), - (UsedAsCA::Yes, true, Some(len)) if sub_ca_count > len => { + (UsedAsCa::No, true, _) => Err(Error::CaUsedAsEndEntity), + (UsedAsCa::Yes, false, _) => Err(Error::EndEntityUsedAsCa), + (UsedAsCa::Yes, true, Some(len)) if sub_ca_count > len => { Err(Error::PathLenConstraintViolated) } _ => Ok(()),