Adds SignedData type to pkcs7

pkcs7/Cargo.toml

@@ -17,6 +17,7 @@ rust-version = "1.65"
 [dependencies]
 der = { version = "=0.7.0-pre", features = ["oid"], path = "../der" }
 spki = { version = "=0.7.0-pre", path = "../spki" }
+x509-cert = { version = "=0.2.0-pre", path = "../x509-cert" }
 
 [dev-dependencies]
 hex-literal = "0.3"

pkcs7/src/certificate_choices.rs

@@ -0,0 +1,64 @@
+//! `CertificateChoices` [RFC 5652 10.2.2](https://datatracker.ietf.org/doc/html/rfc5652#section-10.2.2)
+
+use core::cmp::Ordering;
+
+use der::{Choice, asn1::{BitStringRef}, ValueOrd, Sequence, AnyRef,
+};
+use spki::ObjectIdentifier;
+use x509_cert::{Certificate};
+
+// TODO (smndtrl): Should come from x509 - for now I haven't found a test case in real world
+pub type AttributeCertificateV1<'a> = BitStringRef<'a>;
+pub type AttributeCertificateV2<'a> = BitStringRef<'a>;
+pub type ExtendedCertificate<'a> = BitStringRef<'a>;
+
+
+/// ```text
+/// OtherCertificateFormat ::= SEQUENCE {
+///     otherCertFormat OBJECT IDENTIFIER,
+///     otherCert ANY DEFINED BY otherCertFormat }
+/// ```
+#[derive(Clone, Debug, PartialEq, Eq, Sequence)]
+pub struct OtherCertificateFormat<'a> {
+    other_cert_format: ObjectIdentifier,
+    other_cert: AnyRef<'a>
+}
+
+/// ```text
+/// CertificateChoices ::= CHOICE {
+///     certificate Certificate,
+///     extendedCertificate [0] IMPLICIT ExtendedCertificate,  -- Obsolete
+///     v1AttrCert [1] IMPLICIT AttributeCertificateV1,        -- Obsolete
+///     v2AttrCert [2] IMPLICIT AttributeCertificateV2,
+///     other [3] IMPLICIT OtherCertificateFormat }
+/// 
+/// OtherCertificateFormat ::= SEQUENCE {
+///     otherCertFormat OBJECT IDENTIFIER,
+///     otherCert ANY DEFINED BY otherCertFormat }
+/// ```
+#[derive(Clone, Debug, PartialEq, Eq, Choice)]
+#[allow(clippy::large_enum_variant)]
+pub enum CertificateChoices<'a> {
+    Certificate(Certificate<'a>),
+
+    #[deprecated]
+    #[asn1(context_specific = "0", tag_mode = "IMPLICIT")]
+    ExtendedCertificate(ExtendedCertificate<'a>),
+
+    #[deprecated]
+    #[asn1(context_specific = "1", tag_mode = "IMPLICIT")]
+    V1AttrCert(AttributeCertificateV1<'a>),
+
+    #[asn1(context_specific = "2", tag_mode = "IMPLICIT")]
+    V2AttrCert(AttributeCertificateV2<'a>),
+
+    #[asn1(context_specific = "3", tag_mode = "IMPLICIT")]
+    Other(OtherCertificateFormat<'a>),
+}
+
+// TODO: figure out what ordering makes sense - if any
+impl ValueOrd for CertificateChoices<'_>  {
+    fn value_cmp(&self, _other: &Self) -> der::Result<Ordering> {
+        Ok(Ordering::Equal)
+    }
+}

pkcs7/src/cms_version.rs

@@ -0,0 +1,62 @@
+use der::{FixedTag, Tag, DecodeValue, EncodeValue, Length, Writer, Reader, Header};
+
+
+
+/// The CMSVersion type gives a syntax version number, for compatibility
+/// with future revisions of this specification.
+/// ```text
+/// CMSVersion ::= INTEGER
+///     { v0(0), v1(1), v2(2), v3(3), v4(4), v5(5) }
+/// ```
+///
+/// See [RFC 5652 10.2.5](https://datatracker.ietf.org/doc/html/rfc5652#section-10.2.5).
+#[derive(Clone, Copy, Debug, Eq, PartialEq)]
+pub enum CMSVersion {
+    V0 = 0,
+    V1 = 1,
+    V2 = 2,
+    V3 = 3,
+    V4 = 4,
+    V5 = 5
+}
+
+impl FixedTag for CMSVersion {
+    const TAG: Tag = Tag::Integer;
+}
+
+impl From<CMSVersion> for u8 {
+    fn from(version: CMSVersion) -> Self {
+        version as u8
+    }
+}
+
+impl TryFrom<u8> for CMSVersion {
+    type Error = der::Error;
+    fn try_from(byte: u8) -> der::Result<CMSVersion> {
+        match byte {
+            0 => Ok(CMSVersion::V0),
+            1 => Ok(CMSVersion::V1),
+            2 => Ok(CMSVersion::V2),
+            3 => Ok(CMSVersion::V3),
+            4 => Ok(CMSVersion::V4),
+            5 => Ok(CMSVersion::V5),
+            _ => Err(Self::TAG.value_error()),
+        }
+    }
+}
+
+impl<'a> DecodeValue<'a> for CMSVersion {
+    fn decode_value<R: Reader<'a>>(reader: &mut R, header: Header) -> der::Result<CMSVersion> {
+        CMSVersion::try_from(u8::decode_value(reader, header)?)
+    }
+}
+
+impl EncodeValue for CMSVersion {
+    fn value_len(&self) -> der::Result<Length> {
+        u8::from(*self).value_len()
+    }
+
+    fn encode_value(&self, writer: &mut dyn Writer) -> der::Result<()> {
+        u8::from(*self).encode_value(writer)
+    }
+}

pkcs7/src/content_info.rs

@@ -1,4 +1,4 @@
-use crate::{data_content::DataContent, encrypted_data_content::EncryptedDataContent, ContentType};
+use crate::{data_content::DataContent, encrypted_data_content::EncryptedDataContent, ContentType, signed_data_content::SignedDataContent};
 
 use der::{
     asn1::{ContextSpecific, OctetStringRef},
@@ -22,6 +22,9 @@ pub enum ContentInfo<'a> {
     /// Content type `encrypted-data`
     EncryptedData(Option<EncryptedDataContent<'a>>),
 
+    /// Content type `signed-data`
+    SignedData(Option<SignedDataContent<'a>>),
+
     /// Catch-all case for content types that are not explicitly supported
     ///   - signed-data
     ///   - enveloped-data
@@ -36,6 +39,7 @@ impl<'a> ContentInfo<'a> {
         match self {
             Self::Data(_) => ContentType::Data,
             Self::EncryptedData(_) => ContentType::EncryptedData,
+            Self::SignedData(_) => ContentType::SignedData,
             Self::Other((content_type, _)) => *content_type,
         }
     }
@@ -52,6 +56,7 @@ impl<'a> ContentInfo<'a> {
         match content_type {
             ContentType::Data => ContentInfo::Data(None),
             ContentType::EncryptedData => ContentInfo::EncryptedData(None),
+            ContentType::SignedData => ContentInfo::SignedData(None),
             _ => ContentInfo::Other((content_type, None)),
         }
     }
@@ -76,6 +81,9 @@ impl<'a> DecodeValue<'a> for ContentInfo<'a> {
                 ContentType::EncryptedData => Ok(ContentInfo::EncryptedData(
                     reader.context_specific(CONTENT_TAG, TagMode::Explicit)?,
                 )),
+                ContentType::SignedData => Ok(ContentInfo::SignedData(
+                    reader.context_specific::<SignedDataContent<'_>>(CONTENT_TAG, TagMode::Explicit)?,
+                )),
                 _ => Ok(ContentInfo::Other((
                     content_type,
                     reader
@@ -108,6 +116,14 @@ impl<'a> Sequence<'a> for ContentInfo<'a> {
                     value: *d,
                 }),
             ]),
+            Self::SignedData(data) => f(&[
+                &self.content_type(),
+                &data.as_ref().map(|d| ContextSpecific {
+                    tag_number: CONTENT_TAG,
+                    tag_mode: TagMode::Explicit,
+                    value: d.clone(),
+                }),
+            ]),
             Self::Other((content_type, opt_oct_str)) => f(&[
                 content_type,
                 &opt_oct_str.as_ref().map(|d| ContextSpecific {

pkcs7/src/encapsulated_content_info.rs

@@ -0,0 +1,30 @@
+//! `encapsulated-data` content type [RFC 5652 § 5.2](https://datatracker.ietf.org/doc/html/rfc5652#section-5.2)
+
+use crate::{ContentType};
+use der::{Sequence, AnyRef};
+
+/// Encapsulated content information [RFC 5652 § 5.2](https://datatracker.ietf.org/doc/html/rfc5652#section-5.2)
+///
+/// ```text
+/// EncapsulatedContentInfo ::= SEQUENCE {
+///   eContentType ContentType,
+///   eContent [0] EXPLICIT OCTET STRING OPTIONAL }
+/// ```
+/// Due to a difference in PKCS #7 and CMS the contents type can be either
+/// ```text
+/// content [0] EXPLICIT ANY DEFINED BY contentType OPTIONAL
+/// ```
+/// or
+/// ```text
+/// eContent [0] EXPLICIT OCTET STRING OPTIONAL
+/// ```
+#[derive(Clone, Copy, Debug, Eq, PartialEq, Sequence)]
+pub struct EncapsulatedContentInfo<'a> {
+    /// indicates the type of content.
+    pub e_content_type: ContentType,
+
+    /// encapsulated content
+    #[asn1(context_specific = "0", optional = "true", tag_mode = "EXPLICIT")]
+    pub e_content: Option<AnyRef<'a>>,
+
+}

pkcs7/src/lib.rs

@@ -8,14 +8,20 @@
 #![forbid(unsafe_code, clippy::unwrap_used)]
 #![warn(missing_docs, rust_2018_idioms, unused_qualifications)]
 
+mod certificate_choices;
+mod cms_version;
 mod content_info;
 mod content_type;
+mod revocation_info_choices;
+mod signer_info;
 
 pub use crate::{content_info::ContentInfo, content_type::ContentType};
 
 pub mod data_content;
+pub mod encapsulated_content_info;
 pub mod encrypted_data_content;
 pub mod enveloped_data_content;
+pub mod signed_data_content;
 
 use der::asn1::ObjectIdentifier;
 

pkcs7/src/revocation_info_choices.rs

@@ -0,0 +1,49 @@
+//! `RevocationInfoChoices` [RFC 5652 10.2.1](https://datatracker.ietf.org/doc/html/rfc5652#section-10.2.1)
+
+use core::cmp::Ordering;
+
+use der::{Choice,  Sequence,  asn1::{SetOfVec}, ValueOrd, AnyRef,
+};
+use spki::{ObjectIdentifier};
+use x509_cert::{crl::CertificateList};
+
+/// ```text
+/// RevocationInfoChoices ::= SET OF RevocationInfoChoice
+/// RevocationInfoChoice ::= CHOICE {
+///   crl CertificateList,
+///   other [1] IMPLICIT OtherRevocationInfoFormat }
+/// OtherRevocationInfoFormat ::= SEQUENCE {
+///   otherRevInfoFormat OBJECT IDENTIFIER,
+///   otherRevInfo ANY DEFINED BY otherRevInfoFormat }
+/// ```
+#[derive(Clone, Debug, PartialEq, Eq, Choice)]
+#[allow(clippy::large_enum_variant)]
+pub enum RevocationInfoChoice<'a> {
+    Crl(CertificateList<'a>),
+
+    #[asn1(context_specific = "1", tag_mode = "IMPLICIT", constructed = "true")]
+    Other(OtherRevocationInfoFormat<'a>),
+}
+
+/// ```text
+/// RevocationInfoChoices ::= SET OF RevocationInfoChoice
+/// ```
+pub type RevocationInfoChoices<'a> = SetOfVec<RevocationInfoChoice<'a>>;
+
+/// ```text
+/// OtherRevocationInfoFormat ::= SEQUENCE {
+///   otherRevInfoFormat OBJECT IDENTIFIER,
+///   otherRevInfo ANY DEFINED BY otherRevInfoFormat }
+/// ```
+#[derive(Clone, Debug, PartialEq, Eq, Sequence)]
+pub struct OtherRevocationInfoFormat<'a> {
+    other_rev_info_format: ObjectIdentifier,
+    other_rev_info: AnyRef<'a>
+}
+
+// TODO: figure out what ordering makes sense - if any
+impl ValueOrd for RevocationInfoChoice<'_>  {
+    fn value_cmp(&self, _other: &Self) -> der::Result<Ordering> {
+        Ok(Ordering::Equal)
+    }
+}

pkcs7/src/signed_data_content.rs

@@ -0,0 +1,54 @@
+//! `signed-data` content type [RFC 5652 § 5](https://datatracker.ietf.org/doc/html/rfc5652#section-5)
+
+use crate::{signer_info::{SignerInfos}, encapsulated_content_info::EncapsulatedContentInfo, certificate_choices::CertificateChoices, revocation_info_choices::RevocationInfoChoices, cms_version::CMSVersion};
+use der::{Sequence, asn1::{SetOfVec}};
+use spki::{AlgorithmIdentifierRef};
+
+/// ```text
+/// DigestAlgorithmIdentifier ::= AlgorithmIdentifier
+/// ```
+type DigestAlgorithmIdentifier<'a> = AlgorithmIdentifierRef<'a>;
+
+/// ```text
+/// DigestAlgorithmIdentifiers ::= SET OF DigestAlgorithmIdentifier
+/// ```
+type DigestAlgorithmIdentifiers<'a> = SetOfVec<DigestAlgorithmIdentifier<'a>>;
+
+/// ```text
+/// CertificateSet ::= SET OF CertificateChoices
+/// ```
+type CertificateSet<'a> = SetOfVec<CertificateChoices<'a>>;
+
+/// Signed-data content type [RFC 5652 § 5](https://datatracker.ietf.org/doc/html/rfc5652#section-5)
+///
+/// ```text
+/// SignedData ::= SEQUENCE {
+///     version CMSVersion,
+///     digestAlgorithms DigestAlgorithmIdentifiers,
+///     encapContentInfo EncapsulatedContentInfo,
+///     certificates [0] IMPLICIT CertificateSet OPTIONAL,
+///     crls [1] IMPLICIT RevocationInfoChoices OPTIONAL,
+///     signerInfos SignerInfos }
+/// ```
+#[derive(Clone, Debug, Eq, PartialEq, Sequence)]
+pub struct SignedDataContent<'a> {
+    /// the syntax version number.
+    pub version: CMSVersion,
+
+    /// digest algorithm
+    pub digest_algorithms: DigestAlgorithmIdentifiers<'a>,
+
+    /// content
+    pub encap_content_info: EncapsulatedContentInfo<'a>,
+
+    /// certs
+    #[asn1(context_specific = "0", optional = "true", tag_mode = "IMPLICIT")]
+    pub certificates: Option<CertificateSet<'a>>,
+
+    /// crls
+    #[asn1(context_specific = "1", optional = "true", tag_mode = "IMPLICIT")]
+    pub crls: Option<RevocationInfoChoices<'a>>,
+
+    /// signer info
+    pub signer_infos: SignerInfos<'a>
+}