Use ASN.1 string types for subject alternative names

Author: Tudyx

rcgen/examples/sign-leaf-with-ca.rs

@@ -17,7 +17,8 @@ fn main() {
 }
 
 fn new_ca() -> Certificate {
-	let mut params = CertificateParams::new(Vec::default());
+	let mut params =
+		CertificateParams::new(Vec::default()).expect("empty subject alt name can't produce error");
 	let (yesterday, tomorrow) = validity_period();
 	params.is_ca = IsCa::Ca(BasicConstraints::Unconstrained);
 	params.distinguished_name.push(
@@ -40,7 +41,7 @@ fn new_ca() -> Certificate {
 
 fn new_end_entity() -> Certificate {
 	let name = "entity.other.host";
-	let mut params = CertificateParams::new(vec![name.into()]);
+	let mut params = CertificateParams::new(vec![name.into()]).expect("we know the name is valid");
 	let (yesterday, tomorrow) = validity_period();
 	params.distinguished_name.push(DnType::CommonName, name);
 	params.use_authority_key_identifier_extension = true;

rcgen/examples/simple.rs

@@ -15,8 +15,8 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
 		.distinguished_name
 		.push(DnType::CommonName, "Master Cert");
 	params.subject_alt_names = vec![
-		SanType::DnsName("crabs.crabs".to_string()),
-		SanType::DnsName("localhost".to_string()),
+		SanType::DnsName("crabs.crabs".try_into()?),
+		SanType::DnsName("localhost".try_into()?),
 	];
 
 	let key_pair = KeyPair::generate()?;

rcgen/src/lib.rs

@@ -119,7 +119,7 @@ pub fn generate_simple_self_signed(
 ) -> Result<CertifiedKey, Error> {
 	let key_pair = KeyPair::generate()?;
 	let cert =
-		Certificate::generate_self_signed(CertificateParams::new(subject_alt_names), &key_pair)?;
+		Certificate::generate_self_signed(CertificateParams::new(subject_alt_names)?, &key_pair)?;
 	Ok(CertifiedKey { cert, key_pair })
 }
 
@@ -152,9 +152,9 @@ const ENCODE_CONFIG: pem::EncodeConfig = {
 /// The type of subject alt name
 pub enum SanType {
 	/// Also known as E-Mail address
-	Rfc822Name(String),
-	DnsName(String),
-	URI(String),
+	Rfc822Name(Ia5String),
+	DnsName(Ia5String),
+	URI(Ia5String),
 	IpAddress(IpAddr),
 }
 
@@ -174,10 +174,12 @@ impl SanType {
 	fn try_from_general(name: &x509_parser::extensions::GeneralName<'_>) -> Result<Self, Error> {
 		Ok(match name {
 			x509_parser::extensions::GeneralName::RFC822Name(name) => {
-				SanType::Rfc822Name((*name).into())
+				SanType::Rfc822Name((*name).try_into()?)
 			},
-			x509_parser::extensions::GeneralName::DNSName(name) => SanType::DnsName((*name).into()),
-			x509_parser::extensions::GeneralName::URI(name) => SanType::URI((*name).into()),
+			x509_parser::extensions::GeneralName::DNSName(name) => {
+				SanType::DnsName((*name).try_into()?)
+			},
+			x509_parser::extensions::GeneralName::URI(name) => SanType::URI((*name).try_into()?),
 			x509_parser::extensions::GeneralName::IPAddress(octets) => {
 				SanType::IpAddress(ip_addr_from_octets(octets)?)
 			},
@@ -582,19 +584,21 @@ impl Default for CertificateParams {
 
 impl CertificateParams {
 	/// Generate certificate parameters with reasonable defaults
-	pub fn new(subject_alt_names: impl Into<Vec<String>>) -> Self {
+	pub fn new(subject_alt_names: impl Into<Vec<String>>) -> Result<Self, Error> {
 		let subject_alt_names = subject_alt_names
 			.into()
 			.into_iter()
-			.map(|s| match s.parse() {
-				Ok(ip) => SanType::IpAddress(ip),
-				Err(_) => SanType::DnsName(s),
+			.map(|s| {
+				Ok(match IpAddr::from_str(&s) {
+					Ok(ip) => SanType::IpAddress(ip),
+					Err(_) => SanType::DnsName(s.try_into()?),
+				})
 			})
-			.collect::<Vec<_>>();
-		CertificateParams {
+			.collect::<Result<Vec<_>, _>>()?;
+		Ok(CertificateParams {
 			subject_alt_names,
 			..Default::default()
-		}
+		})
 	}
 
 	/// Parses an existing ca certificate from the ASCII PEM format.
@@ -854,7 +858,7 @@ impl CertificateParams {
 						|writer| match san {
 							SanType::Rfc822Name(name)
 							| SanType::DnsName(name)
-							| SanType::URI(name) => writer.write_ia5_string(name),
+							| SanType::URI(name) => writer.write_ia5_string(name.as_str()),
 							SanType::IpAddress(IpAddr::V4(addr)) => {
 								writer.write_bytes(&addr.octets())
 							},

rcgen/tests/botan.rs

@@ -122,7 +122,7 @@ fn test_botan_separate_ca() {
 	params.is_ca = IsCa::Ca(BasicConstraints::Unconstrained);
 	let ca_cert = Certificate::generate_self_signed(params, &ca_key).unwrap();
 
-	let mut params = CertificateParams::new(vec!["crabs.crabs".to_string()]);
+	let mut params = CertificateParams::new(vec!["crabs.crabs".to_string()]).unwrap();
 	params
 		.distinguished_name
 		.push(DnType::OrganizationName, "Crab widgits SE");
@@ -150,7 +150,7 @@ fn test_botan_imported_ca() {
 	let imported_ca_cert =
 		Certificate::generate_self_signed(imported_ca_cert_params, &ca_key).unwrap();
 
-	let mut params = CertificateParams::new(vec!["crabs.crabs".to_string()]);
+	let mut params = CertificateParams::new(vec!["crabs.crabs".to_string()]).unwrap();
 	params
 		.distinguished_name
 		.push(DnType::OrganizationName, "Crab widgits SE");
@@ -182,7 +182,7 @@ fn test_botan_imported_ca_with_printable_string() {
 	let imported_ca_cert =
 		Certificate::generate_self_signed(imported_ca_cert_params, &imported_ca_key).unwrap();
 
-	let mut params = CertificateParams::new(vec!["crabs.crabs".to_string()]);
+	let mut params = CertificateParams::new(vec!["crabs.crabs".to_string()]).unwrap();
 	params
 		.distinguished_name
 		.push(DnType::OrganizationName, "Crab widgits SE");

rcgen/tests/openssl.rs

@@ -295,7 +295,7 @@ fn test_openssl_separate_ca() {
 	let ca_cert = Certificate::generate_self_signed(params, &ca_key).unwrap();
 	let ca_cert_pem = ca_cert.pem();
 
-	let mut params = CertificateParams::new(vec!["crabs.crabs".to_string()]);
+	let mut params = CertificateParams::new(vec!["crabs.crabs".to_string()]).unwrap();
 	params
 		.distinguished_name
 		.push(DnType::OrganizationName, "Crab widgits SE");
@@ -319,7 +319,7 @@ fn test_openssl_separate_ca_with_printable_string() {
 	params.is_ca = IsCa::Ca(BasicConstraints::Unconstrained);
 	let ca_cert = Certificate::generate_self_signed(params, &ca_key).unwrap();
 
-	let mut params = CertificateParams::new(vec!["crabs.crabs".to_string()]);
+	let mut params = CertificateParams::new(vec!["crabs.crabs".to_string()]).unwrap();
 	params
 		.distinguished_name
 		.push(DnType::OrganizationName, "Crab widgits SE");
@@ -340,7 +340,7 @@ fn test_openssl_separate_ca_with_other_signing_alg() {
 	let ca_key = KeyPair::generate_for(&rcgen::PKCS_ECDSA_P256_SHA256).unwrap();
 	let ca_cert = Certificate::generate_self_signed(params, &ca_key).unwrap();
 
-	let mut params = CertificateParams::new(vec!["crabs.crabs".to_string()]);
+	let mut params = CertificateParams::new(vec!["crabs.crabs".to_string()]).unwrap();
 	params
 		.distinguished_name
 		.push(DnType::OrganizationName, "Crab widgits SE");
@@ -370,7 +370,7 @@ fn test_openssl_separate_ca_name_constraints() {
 	});
 	let ca_cert = Certificate::generate_self_signed(params, &ca_key).unwrap();
 
-	let mut params = CertificateParams::new(vec!["crabs.crabs".to_string()]);
+	let mut params = CertificateParams::new(vec!["crabs.crabs".to_string()]).unwrap();
 	params
 		.distinguished_name
 		.push(DnType::OrganizationName, "Crab widgits SE");

rcgen/tests/util.rs

@@ -68,7 +68,7 @@ YPTHy8SWRA2sMII3ArhHJ8A=
 
 pub fn default_params() -> (CertificateParams, KeyPair) {
 	let mut params =
-		CertificateParams::new(vec!["crabs.crabs".to_string(), "localhost".to_string()]);
+		CertificateParams::new(vec!["crabs.crabs".to_string(), "localhost".to_string()]).unwrap();
 	params
 		.distinguished_name
 		.push(DnType::OrganizationName, "Crab widgits SE");

rcgen/tests/webpki.rs

@@ -267,7 +267,7 @@ fn test_webpki_separate_ca() {
 	params.is_ca = IsCa::Ca(BasicConstraints::Unconstrained);
 	let ca_cert = Certificate::generate_self_signed(params, &ca_key).unwrap();
 
-	let mut params = CertificateParams::new(vec!["crabs.crabs".to_string()]);
+	let mut params = CertificateParams::new(vec!["crabs.crabs".to_string()]).unwrap();
 	params
 		.distinguished_name
 		.push(DnType::OrganizationName, "Crab widgits SE");
@@ -295,7 +295,7 @@ fn test_webpki_separate_ca_with_other_signing_alg() {
 	let ca_key = KeyPair::generate_for(&rcgen::PKCS_ECDSA_P256_SHA256).unwrap();
 	let ca_cert = Certificate::generate_self_signed(params, &ca_key).unwrap();
 
-	let mut params = CertificateParams::new(vec!["crabs.crabs".to_string()]);
+	let mut params = CertificateParams::new(vec!["crabs.crabs".to_string()]).unwrap();
 	params
 		.distinguished_name
 		.push(DnType::OrganizationName, "Crab widgits SE");
@@ -422,7 +422,7 @@ fn test_webpki_imported_ca() {
 	let imported_ca_cert =
 		Certificate::generate_self_signed(imported_ca_cert_params, &ca_key).unwrap();
 
-	let mut params = CertificateParams::new(vec!["crabs.crabs".to_string()]);
+	let mut params = CertificateParams::new(vec!["crabs.crabs".to_string()]).unwrap();
 	params
 		.distinguished_name
 		.push(DnType::OrganizationName, "Crab widgits SE");
@@ -460,7 +460,7 @@ fn test_webpki_imported_ca_with_printable_string() {
 	let imported_ca_cert =
 		Certificate::generate_self_signed(imported_ca_cert_params, &ca_key).unwrap();
 
-	let mut params = CertificateParams::new(vec!["crabs.crabs".to_string()]);
+	let mut params = CertificateParams::new(vec!["crabs.crabs".to_string()]).unwrap();
 	params
 		.distinguished_name
 		.push(DnType::OrganizationName, "Crab widgits SE");
@@ -484,7 +484,7 @@ fn test_webpki_imported_ca_with_printable_string() {
 #[cfg(feature = "x509-parser")]
 #[test]
 fn test_certificate_from_csr() {
-	let mut params = CertificateParams::new(vec!["crabs.crabs".to_string()]);
+	let mut params = CertificateParams::new(vec!["crabs.crabs".to_string()]).unwrap();
 	params
 		.distinguished_name
 		.push(DnType::OrganizationName, "Crab widgits SE");

rustls-cert-gen/src/cert.rs

@@ -403,13 +403,13 @@ mod tests {
 			.build()
 			.unwrap();
 		let name = "unexpected.oomyoo.xyz";
-		let names = vec![SanType::DnsName(name.into())];
+		let names = vec![SanType::DnsName(name.try_into().unwrap())];
 		let params = CertificateParams::default();
 		let cert = EndEntityBuilder::new(params, KeyPairAlgorithm::default())
 			.subject_alternative_names(names);
 		assert_eq!(
 			cert.params.subject_alt_names,
-			vec![rcgen::SanType::DnsName(name.into())]
+			vec![rcgen::SanType::DnsName(name.try_into().unwrap())]
 		);
 	}
 	#[test]

rustls-cert-gen/src/main.rs

@@ -1,6 +1,6 @@
 use bpaf::Bpaf;
-use rcgen::SanType;
-use std::{net::IpAddr, path::PathBuf};
+use rcgen::{Error, SanType};
+use std::{net::IpAddr, path::PathBuf, str::FromStr};
 
 mod cert;
 use cert::{key_pair_algorithm, CertificateBuilder, KeyPairAlgorithm};
@@ -67,7 +67,7 @@ struct Options {
 	#[bpaf(long, fallback("root-ca".into()), display_fallback)]
 	pub ca_file_name: String,
 	/// Subject Alt Name (apply multiple times for multiple names/Ips)
-	#[bpaf(many, long, argument::<String>("san"), map(parse_sans))]
+	#[bpaf(many, long, argument::<String>("san"), parse(parse_sans))]
 	pub san: Vec<SanType>,
 	/// Common Name (Currently only used for end-entity)
 	#[bpaf(long, fallback("Tls End-Entity Certificate".into()), display_fallback)]
@@ -82,15 +82,14 @@ struct Options {
 
 /// Parse cli input into SanType. Try first `IpAddr`, if that fails
 /// declare it to be a DnsName.
-fn parse_sans(hosts: Vec<String>) -> Vec<SanType> {
+fn parse_sans(hosts: Vec<String>) -> Result<Vec<SanType>, Error> {
 	hosts
 		.into_iter()
-		.map(|host| {
-			if let Ok(ip) = host.parse::<IpAddr>() {
-				SanType::IpAddress(ip)
-			} else {
-				SanType::DnsName(host)
-			}
+		.map(|s| {
+			Ok(match IpAddr::from_str(&s) {
+				Ok(ip) => SanType::IpAddress(ip),
+				Err(_) => SanType::DnsName(s.try_into()?),
+			})
 		})
 		.collect()
 }
@@ -110,9 +109,9 @@ mod tests {
 		.into_iter()
 		.map(Into::into)
 		.collect();
-		let sans: Vec<SanType> = parse_sans(hosts);
-		assert_eq!(SanType::DnsName("my.host.com".into()), sans[0]);
-		assert_eq!(SanType::DnsName("localhost".into()), sans[1]);
+		let sans: Vec<SanType> = parse_sans(hosts).unwrap();
+		assert_eq!(SanType::DnsName("my.host.com".try_into().unwrap()), sans[0]);
+		assert_eq!(SanType::DnsName("localhost".try_into().unwrap()), sans[1]);
 		assert_eq!(
 			SanType::IpAddress("185.199.108.153".parse().unwrap()),
 			sans[2]