Skip to content

Commit

Permalink
chore: Remove cose_validator dep on validation_status (#712)
Browse files Browse the repository at this point in the history 
(Codes are actually located now in `c2pa-status-tracker` crate.)
  • Loading branch information
@scouten-adobe
scouten-adobe authored Dec 5, 2024
1 parent 25cd972 commit 75112e9
Showing 1 changed file with 34 additions and 35 deletions.
69 changes: 34 additions & 35 deletions sdk/src/cose_validator.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ use c2pa_crypto::{
time_stamp::TimeStampError,
SigningAlg,
};
use c2pa_status_tracker::{log_item, StatusTracker};
use c2pa_status_tracker::{log_item, validation_codes::*, StatusTracker};
use ciborium::value::Value;
use conv::*;
use coset::{
Expand All @@ -43,12 +43,11 @@ use crate::openssl::verify_trust; // Eric to investigate
use crate::wasm::webpki_trust_handler::verify_trust_async; // Eric to investigate
use crate::{
// c2pa-crypto migration plans (2024-12-05)
error::{Error, Result}, // DON'T MOVE
settings::get_settings_value, // DON'T MOVE
error::{Error, Result}, // DON'T MOVE
settings::get_settings_value, // DON'T MOVE
time_stamp::gt_to_datetime, // already moved (duplicated?) to c2pa-crypto
trust_handler::{has_allowed_oid, TrustHandlerConfig}, // Eli to move to c2pa-crypto
validation_status, // Eric to move to c2pa-crypto
validator::ValidationInfo, // Eli to move to c2pa-status-tracker
validator::ValidationInfo, // Eli to move to c2pa-status-tracker
};

pub(crate) const RSA_OID: Oid<'static> = oid!(1.2.840 .113549 .1 .1 .1);
Expand Down Expand Up @@ -100,7 +99,7 @@ fn get_cose_sign1(
"could not deserialize signature",
"get_cose_sign1"
)
.validation_status(validation_status::CLAIM_SIGNATURE_MISMATCH)
.validation_status(CLAIM_SIGNATURE_MISMATCH)
.failure_no_throw(validation_log, Error::InvalidCoseSignature { coset_error });

Err(Error::CoseSignature)
Expand All @@ -121,7 +120,7 @@ pub(crate) fn check_cert(
"certificate could not be parsed",
"check_cert_alg"
)
.validation_status(validation_status::SIGNING_CREDENTIAL_INVALID)
.validation_status(SIGNING_CREDENTIAL_INVALID)
.failure_no_throw(validation_log, Error::CoseInvalidCert);

Error::CoseInvalidCert
Expand All @@ -134,7 +133,7 @@ pub(crate) fn check_cert(
"certificate version incorrect",
"check_cert_alg"
)
.validation_status(validation_status::SIGNING_CREDENTIAL_INVALID)
.validation_status(SIGNING_CREDENTIAL_INVALID)
.failure_no_throw(validation_log, Error::CoseInvalidCert);

return Err(Error::CoseInvalidCert);
Expand All @@ -149,7 +148,7 @@ pub(crate) fn check_cert(
.map_err(|_| Error::CoseInvalidCert)?,
) {
log_item!("Cose_Sign1", "certificate expired", "check_cert_alg")
.validation_status(validation_status::SIGNING_CREDENTIAL_EXPIRED)
.validation_status(SIGNING_CREDENTIAL_EXPIRED)
.failure_no_throw(validation_log, Error::CoseCertExpiration);

return Err(Error::CoseCertExpiration);
Expand All @@ -166,7 +165,7 @@ pub(crate) fn check_cert(
x509_parser::time::ASN1Time::from_timestamp(now).map_err(|_| Error::CoseInvalidCert)?,
) {
log_item!("Cose_Sign1", "certificate expired", "check_cert_alg")
.validation_status(validation_status::SIGNING_CREDENTIAL_EXPIRED)
.validation_status(SIGNING_CREDENTIAL_EXPIRED)
.failure_no_throw(validation_log, Error::CoseCertExpiration);

return Err(Error::CoseCertExpiration);
Expand All @@ -192,7 +191,7 @@ pub(crate) fn check_cert(
"certificate algorithm not supported",
"check_cert_alg"
)
.validation_status(validation_status::SIGNING_CREDENTIAL_INVALID)
.validation_status(SIGNING_CREDENTIAL_INVALID)
.failure_no_throw(validation_log, Error::CoseInvalidCert);

return Err(Error::CoseInvalidCert);
Expand Down Expand Up @@ -249,7 +248,7 @@ pub(crate) fn check_cert(
"certificate algorithm error",
"check_cert_alg"
)
.validation_status(validation_status::SIGNING_CREDENTIAL_INVALID)
.validation_status(SIGNING_CREDENTIAL_INVALID)
.failure_no_throw(validation_log, Error::CoseInvalidCert);

return Err(Error::CoseInvalidCert);
Expand All @@ -265,7 +264,7 @@ pub(crate) fn check_cert(
"certificate hash algorithm not supported",
"check_cert_alg"
)
.validation_status(validation_status::SIGNING_CREDENTIAL_INVALID)
.validation_status(SIGNING_CREDENTIAL_INVALID)
.failure_no_throw(validation_log, Error::CoseInvalidCert);

return Err(Error::CoseInvalidCert);
Expand All @@ -276,7 +275,7 @@ pub(crate) fn check_cert(
"certificate missing algorithm parameters",
"check_cert_alg"
)
.validation_status(validation_status::SIGNING_CREDENTIAL_INVALID)
.validation_status(SIGNING_CREDENTIAL_INVALID)
.failure_no_throw(validation_log, Error::CoseInvalidCert);

return Err(Error::CoseInvalidCert);
Expand All @@ -301,7 +300,7 @@ pub(crate) fn check_cert(
"certificate unsupported EC curve",
"check_cert_alg"
)
.validation_status(validation_status::SIGNING_CREDENTIAL_INVALID)
.validation_status(SIGNING_CREDENTIAL_INVALID)
.failure_no_throw(validation_log, Error::CoseInvalidCert);

return Err(Error::CoseInvalidCert);
Expand Down Expand Up @@ -331,7 +330,7 @@ pub(crate) fn check_cert(
"certificate key length too short",
"check_cert_alg"
)
.validation_status(validation_status::SIGNING_CREDENTIAL_INVALID)
.validation_status(SIGNING_CREDENTIAL_INVALID)
.failure_no_throw(validation_log, Error::CoseInvalidCert);

return Err(Error::CoseInvalidCert);
Expand All @@ -350,7 +349,7 @@ pub(crate) fn check_cert(
"certificate issuer and subject cannot be the same {self-signed disallowed}",
"check_cert_alg"
)
.validation_status(validation_status::SIGNING_CREDENTIAL_INVALID)
.validation_status(SIGNING_CREDENTIAL_INVALID)
.failure_no_throw(validation_log, Error::CoseInvalidCert);

return Err(Error::CoseInvalidCert);
Expand All @@ -363,7 +362,7 @@ pub(crate) fn check_cert(
"certificate issuer/subject unique ids are not allowed",
"check_cert_alg"
)
.validation_status(validation_status::SIGNING_CREDENTIAL_INVALID)
.validation_status(SIGNING_CREDENTIAL_INVALID)
.failure_no_throw(validation_log, Error::CoseInvalidCert);

return Err(Error::CoseInvalidCert);
Expand All @@ -384,7 +383,7 @@ pub(crate) fn check_cert(
"certificate 'any' EKU not allowed",
"check_cert_alg"
)
.validation_status(validation_status::SIGNING_CREDENTIAL_INVALID)
.validation_status(SIGNING_CREDENTIAL_INVALID)
.failure_no_throw(validation_log, Error::CoseInvalidCert);

return Err(Error::CoseInvalidCert);
Expand All @@ -396,7 +395,7 @@ pub(crate) fn check_cert(
"certificate missing required EKU",
"check_cert_alg"
)
.validation_status(validation_status::SIGNING_CREDENTIAL_INVALID)
.validation_status(SIGNING_CREDENTIAL_INVALID)
.failure_no_throw(validation_log, Error::CoseInvalidCert);

return Err(Error::CoseInvalidCert);
Expand All @@ -416,7 +415,7 @@ pub(crate) fn check_cert(
"certificate invalid set of EKUs",
"check_cert_alg"
)
.validation_status(validation_status::SIGNING_CREDENTIAL_INVALID)
.validation_status(SIGNING_CREDENTIAL_INVALID)
.failure_no_throw(validation_log, Error::CoseInvalidCert);

return Err(Error::CoseInvalidCert);
Expand Down Expand Up @@ -444,7 +443,7 @@ pub(crate) fn check_cert(
"certificate missing digitalSignature EKU",
"check_cert_alg"
)
.validation_status(validation_status::SIGNING_CREDENTIAL_INVALID)
.validation_status(SIGNING_CREDENTIAL_INVALID)
.failure_no_throw(validation_log, Error::CoseInvalidCert);

return Err(Error::CoseInvalidCert);
Expand Down Expand Up @@ -498,7 +497,7 @@ pub(crate) fn check_cert(
"certificate params incorrect",
"check_cert_alg"
)
.validation_status(validation_status::SIGNING_CREDENTIAL_INVALID)
.validation_status(SIGNING_CREDENTIAL_INVALID)
.failure_no_throw(validation_log, Error::CoseInvalidCert);

Err(Error::CoseInvalidCert)
Expand Down Expand Up @@ -883,21 +882,21 @@ fn check_trust(
Ok(trusted) => {
if trusted {
log_item!("Cose_Sign1", "signing certificate trusted", "verify_cose")
.validation_status(validation_status::SIGNING_CREDENTIAL_TRUSTED)
.validation_status(SIGNING_CREDENTIAL_TRUSTED)
.success(validation_log);

Ok(())
} else {
log_item!("Cose_Sign1", "signing certificate untrusted", "verify_cose")
.validation_status(validation_status::SIGNING_CREDENTIAL_UNTRUSTED)
.validation_status(SIGNING_CREDENTIAL_UNTRUSTED)
.failure_no_throw(validation_log, Error::CoseCertUntrusted);

Err(Error::CoseCertUntrusted)
}
}
Err(e) => {
log_item!("Cose_Sign1", "signing certificate untrusted", "verify_cose")
.validation_status(validation_status::SIGNING_CREDENTIAL_UNTRUSTED)
.validation_status(SIGNING_CREDENTIAL_UNTRUSTED)
.failure_no_throw(validation_log, &e);

// TO REVIEW: Mixed message: Are we using CoseCertUntrusted in log or &e from above?
Expand Down Expand Up @@ -977,7 +976,7 @@ pub(crate) async fn verify_cose_async(
"unsupported or missing Cose algorithm",
"verify_cose_async"
)
.validation_status(validation_status::ALGORITHM_UNSUPPORTED)
.validation_status(ALGORITHM_UNSUPPORTED)
.failure_no_throw(validation_log, Error::CoseSignatureAlgorithmNotSupported);

// one of these must exist
Expand Down Expand Up @@ -1012,13 +1011,13 @@ pub(crate) async fn verify_cose_async(
"timestamp message imprint did not match",
"verify_cose"
)
.validation_status(validation_status::TIMESTAMP_MISMATCH)
.validation_status(TIMESTAMP_MISMATCH)
.failure(validation_log, Error::CoseTimeStampMismatch)?;
}

Error::CoseTimeStampValidity => {
log_item!("Cose_Sign1", "timestamp outside of validity", "verify_cose")
.validation_status(validation_status::TIMESTAMP_OUTSIDE_VALIDITY)
.validation_status(TIMESTAMP_OUTSIDE_VALIDITY)
.failure(validation_log, Error::CoseTimeStampValidity)?;
}

Expand Down Expand Up @@ -1058,7 +1057,7 @@ pub(crate) async fn verify_cose_async(
// check signature format
if let Err(_e) = check_sig(&sign1.signature, alg) {
log_item!("Cose_Sign1", "unsupported signature format", "verify_cose")
.validation_status(validation_status::SIGNING_CREDENTIAL_INVALID)
.validation_status(SIGNING_CREDENTIAL_INVALID)
.failure_no_throw(validation_log, Error::CoseSignatureAlgorithmNotSupported);

// TO REVIEW: This could return e if OneShotStatusTracker is used. Hmmm.
Expand Down Expand Up @@ -1180,7 +1179,7 @@ pub(crate) fn verify_cose(
"unsupported or missing Cose algorithm",
"verify_cose"
)
.validation_status(validation_status::ALGORITHM_UNSUPPORTED)
.validation_status(ALGORITHM_UNSUPPORTED)
.failure_no_throw(validation_log, Error::CoseSignatureAlgorithmNotSupported);

return Err(Error::CoseSignatureAlgorithmNotSupported);
Expand Down Expand Up @@ -1217,7 +1216,7 @@ pub(crate) fn verify_cose(
"timestamp did not match signed data",
"verify_cose"
)
.validation_status(validation_status::TIMESTAMP_MISMATCH)
.validation_status(TIMESTAMP_MISMATCH)
.failure_no_throw(validation_log, Error::CoseTimeStampMismatch);

return Err(Error::CoseTimeStampMismatch);
Expand All @@ -1229,7 +1228,7 @@ pub(crate) fn verify_cose(
"timestamp certificate outside of validity",
"verify_cose"
)
.validation_status(validation_status::TIMESTAMP_OUTSIDE_VALIDITY)
.validation_status(TIMESTAMP_OUTSIDE_VALIDITY)
.failure_no_throw(validation_log, Error::CoseTimeStampValidity);

return Err(Error::CoseTimeStampValidity);
Expand Down Expand Up @@ -1260,7 +1259,7 @@ pub(crate) fn verify_cose(
// check signature format
if let Err(e) = check_sig(&sign1.signature, alg) {
log_item!("Cose_Sign1", "unsupported signature format", "verify_cose")
.validation_status(validation_status::SIGNING_CREDENTIAL_INVALID)
.validation_status(SIGNING_CREDENTIAL_INVALID)
.failure_no_throw(validation_log, e);

return Err(Error::CoseSignatureAlgorithmNotSupported);
Expand Down Expand Up @@ -1382,7 +1381,7 @@ pub mod tests {

assert_eq!(
validation_log.logged_items()[0].validation_status,
Some(validation_status::SIGNING_CREDENTIAL_EXPIRED.into())
Some(SIGNING_CREDENTIAL_EXPIRED.into())
);
}
}
Expand Down

0 comments on commit 75112e9

Please sign in to comment.