x509-cert: make Name a new type over RdnSequence (#1499)

This make `FromStr` documented way to build a name.
This also exposes a set of getter methods to get elements from the name
(CN, Org, ...).

Author: baloo

cms/tests/builder.rs

@@ -13,7 +13,7 @@ use cms::enveloped_data::RecipientInfo::Ktri;
 use cms::enveloped_data::{EnvelopedData, RecipientIdentifier, RecipientInfo};
 use cms::signed_data::{EncapsulatedContentInfo, SignedData, SignerIdentifier};
 use const_oid::ObjectIdentifier;
-use der::asn1::{OctetString, PrintableString, SetOfVec, Utf8StringRef};
+use der::asn1::{OctetString, PrintableString, SetOfVec};
 use der::{Any, AnyRef, Decode, DecodePem, Encode, Tag, Tagged};
 use p256::{pkcs8::DecodePrivateKey, NistP256};
 use pem_rfc7468::LineEnding;
@@ -24,8 +24,7 @@ use rsa::{Pkcs1v15Encrypt, RsaPrivateKey, RsaPublicKey};
 use sha2::Sha256;
 use signature::Verifier;
 use spki::AlgorithmIdentifierOwned;
-use x509_cert::attr::{Attribute, AttributeTypeAndValue, AttributeValue};
-use x509_cert::name::{RdnSequence, RelativeDistinguishedName};
+use x509_cert::attr::{Attribute, AttributeValue};
 use x509_cert::serial_number::SerialNumber;
 
 // TODO bk replace this by const_oid definitions as soon as released
@@ -50,30 +49,18 @@ fn ecdsa_signer() -> ecdsa::SigningKey<NistP256> {
 }
 
 fn signer_identifier(id: i32) -> SignerIdentifier {
-    let mut rdn_sequence = RdnSequence::default();
-    let rdn = &[AttributeTypeAndValue {
-        oid: const_oid::db::rfc4519::CN,
-        value: Any::from(Utf8StringRef::new(&format!("test client {id}")).unwrap()),
-    }];
-    let set_of_vector = SetOfVec::try_from(rdn.to_vec()).unwrap();
-    rdn_sequence.push(RelativeDistinguishedName::from(set_of_vector));
+    let issuer = format!("CN=test client {id}").parse().unwrap();
     SignerIdentifier::IssuerAndSerialNumber(IssuerAndSerialNumber {
-        issuer: rdn_sequence,
+        issuer,
         serial_number: SerialNumber::new(&[0x01, 0x02, 0x03, 0x04, 0x05, 0x06])
             .expect("failed to create a serial number"),
     })
 }
 
 fn recipient_identifier(id: i32) -> RecipientIdentifier {
-    let mut rdn_sequence = RdnSequence::default();
-    let rdn = &[AttributeTypeAndValue {
-        oid: const_oid::db::rfc4519::CN,
-        value: Any::from(Utf8StringRef::new(&format!("test client {id}")).unwrap()),
-    }];
-    let set_of_vector = SetOfVec::try_from(rdn.to_vec()).unwrap();
-    rdn_sequence.push(RelativeDistinguishedName::from(set_of_vector));
+    let issuer = format!("CN=test client {id}").parse().unwrap();
     RecipientIdentifier::IssuerAndSerialNumber(IssuerAndSerialNumber {
-        issuer: rdn_sequence,
+        issuer,
         serial_number: SerialNumber::new(&[0x01, 0x02, 0x03, 0x04, 0x05, 0x06])
             .expect("failed to create a serial number"),
     })

x509-cert/src/builder/profile/cabf.rs

@@ -43,7 +43,7 @@ pub fn check_names_encoding(name: &Name, multiple_allowed: bool) -> Result<()> {
 
     let mut seen = HashSet::new();
 
-    for rdn in name.iter() {
+    for rdn in name.iter_rdn() {
         if rdn.len() != 1 {
             return Err(Error::NonUniqueRdn);
         }
@@ -87,13 +87,11 @@ pub fn ca_certificate_naming(subject: &Name) -> Result<()> {
 
     check_names_encoding(subject, false)?;
 
-    for rdn in subject.iter() {
-        for atv in rdn.iter() {
-            if !allowed.remove(&atv.oid) {
-                return Err(Error::InvalidAttribute { oid: atv.oid });
-            }
-            required.remove(&atv.oid);
+    for atv in subject.iter() {
+        if !allowed.remove(&atv.oid) {
+            return Err(Error::InvalidAttribute { oid: atv.oid });
         }
+        required.remove(&atv.oid);
     }
 
     if !required.is_empty() {

x509-cert/src/builder/profile/cabf/tls.rs

@@ -145,7 +145,7 @@ impl CertificateType {
         // TODO(baloo): not very happy with all that, might as well throw that in a helper
         // or something.
         let rdns: vec::Vec<RelativeDistinguishedName> = subject
-            .iter()
+            .iter_rdn()
             .filter_map(|rdn| {
                 let out = SetOfVec::<AttributeTypeAndValue>::from_iter(
                     rdn.iter()
@@ -159,7 +159,7 @@ impl CertificateType {
             .filter(|rdn| !rdn.is_empty())
             .collect();
 
-        let subject: Name = rdns.into();
+        let subject: Name = Name(rdns.into());
 
         Ok(Self::DomainValidated(DomainValidated { subject, names }))
     }

x509-cert/src/ext/pkix/name/dirstr.rs

@@ -1,6 +1,8 @@
 use alloc::string::String;
-use der::asn1::{PrintableString, TeletexString};
-use der::{Choice, ValueOrd};
+use der::{
+    asn1::{Any, PrintableString, TeletexString},
+    Choice, FixedTag, Header, Reader, ValueOrd,
+};
 
 /// DirectoryString as defined in [RFC 5280 Section 4.2.1.4].
 ///
@@ -51,3 +53,41 @@ pub enum DirectoryString {
     #[asn1(type = "UTF8String")]
     Utf8String(String),
 }
+
+impl<'a> TryFrom<&'a Any> for DirectoryString {
+    type Error = der::Error;
+    fn try_from(any: &'a Any) -> der::Result<Self> {
+        any.decode_as()
+    }
+}
+
+impl<'a> der::DecodeValue<'a> for DirectoryString {
+    type Error = der::Error;
+
+    fn decode_value<R: Reader<'a>>(reader: &mut R, header: Header) -> Result<Self, Self::Error> {
+        match header.tag {
+            PrintableString::TAG => {
+                PrintableString::decode_value(reader, header).map(Self::PrintableString)
+            }
+            TeletexString::TAG => {
+                TeletexString::decode_value(reader, header).map(Self::TeletexString)
+            }
+            String::TAG => String::decode_value(reader, header).map(Self::Utf8String),
+            actual => Err(der::ErrorKind::TagUnexpected {
+                expected: None,
+                actual,
+            }
+            .into()),
+        }
+    }
+}
+
+impl AsRef<str> for DirectoryString {
+    fn as_ref(&self) -> &str {
+        match self {
+            Self::PrintableString(s) => s.as_ref(),
+            Self::TeletexString(s) => s.as_ref(),
+            Self::Utf8String(s) => s.as_ref(),
+        }
+    }
+}