Update to der-parser 7.0 and asn1-rs, and remove chrono (closes #111)

Author: chifflier

Cargo.toml

@@ -38,16 +38,14 @@ verify = ["ring"]
 validate = []
 
 [dependencies]
+asn1-rs = { version = "0.3", features=["datetime"] }
 base64 = "0.13"
-chrono = { version="0.4", default-features=false, features=["std"] }
 data-encoding = "2.2.1"
 lazy_static = "1.4"
 nom = "7.0"
-oid-registry = { version="0.2.0", features=["crypto", "x509"] }
+oid-registry = { version="0.4", features=["crypto", "x509"] }
 rusticata-macros = "4.0"
 ring = { version="0.16", optional=true }
-der-parser = { version = "6.0.0", features=["bigint"] }
+der-parser = { version = "7.0.0", features=["bigint"] }
 thiserror = "1.0"
-
-[patch.crates-io]
-oid-registry = { git="https://github.com/rusticata/oid-registry" }
+time = { version="0.3", features=["formatting"] }

examples/print-cert.rs

@@ -1,4 +1,4 @@
-use der_parser::ber::BerTag;
+use der_parser::der::Tag;
 use der_parser::oid::Oid;
 use nom::HexDisplay;
 use std::cmp::min;
@@ -136,12 +136,12 @@ fn print_x509_digest_algorithm(alg: &AlgorithmIdentifier, level: usize) {
         indent = level
     );
     if let Some(parameter) = &alg.parameters {
-        let s = match parameter.header.tag {
-            BerTag::Oid => {
+        let s = match parameter.tag() {
+            Tag::Oid => {
                 let oid = parameter.as_oid().unwrap();
                 format_oid(oid)
             }
-            _ => format!("{}", parameter.header.tag),
+            _ => format!("{}", parameter.tag()),
         };
         println!("{:indent$}Parameter: <PRESENT> {}", "", s, indent = level);
         if let Ok(bytes) = parameter.as_slice() {

examples/print-crl.rs

@@ -83,7 +83,7 @@ fn print_x509_digest_algorithm(alg: &AlgorithmIdentifier, level: usize) {
         println!(
             "{:indent$}Parameter: <PRESENT> {:?}",
             "",
-            parameter.header.tag,
+            parameter.tag(),
             indent = level
         );
         if let Ok(bytes) = parameter.as_slice() {

src/certificate.rs

@@ -12,15 +12,16 @@ use crate::x509::{
     X509Version,
 };
 
-use der_parser::ber::{parse_ber_optional, BerTag, BitStringObject};
+use der_parser::ber::{parse_ber_optional, BitStringObject, Tag};
 use der_parser::der::*;
 use der_parser::error::*;
 use der_parser::num_bigint::BigUint;
-use der_parser::oid::Oid;
 use der_parser::*;
 use nom::{Offset, Parser};
+use oid_registry::Oid;
 use oid_registry::*;
 use std::collections::HashMap;
+use time::Duration;
 
 /// An X.509 v3 Certificate.
 ///
@@ -472,7 +473,7 @@ impl<'a> FromDer<'a> for TbsCertificate<'a> {
             let (i, subject_pki) = SubjectPublicKeyInfo::from_der(i)?;
             let (i, issuer_uid) = UniqueIdentifier::from_der_issuer(i)?;
             let (i, subject_uid) = UniqueIdentifier::from_der_subject(i)?;
-            let (i, extensions) = parse_extensions(i, BerTag(3))?;
+            let (i, extensions) = parse_extensions(i, Tag(3))?;
             let len = start_i.offset(i);
             let tbs = TbsCertificate {
                 version,
@@ -530,9 +531,9 @@ impl<'a> Parser<&'a [u8], TbsCertificate<'a>, X509Error> for TbsCertificateParse
             let (i, issuer_uid) = UniqueIdentifier::from_der_issuer(i)?;
             let (i, subject_uid) = UniqueIdentifier::from_der_subject(i)?;
             let (i, extensions) = if self.deep_parse_extensions {
-                parse_extensions(i, BerTag(3))?
+                parse_extensions(i, Tag(3))?
             } else {
-                parse_extensions_envelope(i, BerTag(3))?
+                parse_extensions_envelope(i, Tag(3))?
             };
             let len = start_i.offset(i);
             let tbs = TbsCertificate {
@@ -580,7 +581,7 @@ impl Validity {
     /// If the certificate is not currently valid, then `None` is
     /// returned.  Otherwise, the `Duration` until the certificate
     /// expires is returned.
-    pub fn time_to_expiration(&self) -> Option<std::time::Duration> {
+    pub fn time_to_expiration(&self) -> Option<Duration> {
         let now = ASN1Time::now();
         if !self.is_valid_at(now) {
             return None;
@@ -637,7 +638,7 @@ impl<'a> UniqueIdentifier<'a> {
     fn parse(i: &[u8], tag: u32) -> BerResult<Option<UniqueIdentifier>> {
         let (rem, obj) = parse_ber_optional(parse_der_tagged_implicit(
             tag,
-            parse_der_content(DerTag::BitString),
+            parse_der_content(Tag::BitString),
         ))(i)?;
         let unique_id = match obj.content {
             DerObjectContent::Optional(None) => Ok(None),
@@ -662,11 +663,11 @@ mod tests {
             not_after: ASN1Time::now(),
         };
         assert_eq!(v.time_to_expiration(), None);
-        v.not_after = (v.not_after + std::time::Duration::new(60, 0)).unwrap();
+        v.not_after = (v.not_after + Duration::new(60, 0)).unwrap();
         assert!(v.time_to_expiration().is_some());
-        assert!(v.time_to_expiration().unwrap() <= std::time::Duration::from_secs(60));
+        assert!(v.time_to_expiration().unwrap() <= Duration::new(60, 0));
         // The following assumes this timing won't take 10 seconds... I
         // think that is safe.
-        assert!(v.time_to_expiration().unwrap() > std::time::Duration::from_secs(50));
+        assert!(v.time_to_expiration().unwrap() > Duration::new(50, 0));
     }
 }

src/cri_attributes.rs

@@ -4,9 +4,7 @@ use crate::{
     traits::FromDer,
 };
 
-use der_parser::der::{
-    der_read_element_header, parse_der_oid, parse_der_sequence_defined_g, DerTag,
-};
+use der_parser::der::{der_read_element_header, parse_der_oid, parse_der_sequence_defined_g, Tag};
 use der_parser::error::BerError;
 use der_parser::oid::Oid;
 use nom::combinator::map_res;
@@ -28,7 +26,7 @@ impl<'a> FromDer<'a> for X509CriAttribute<'a> {
             let (i, oid) = map_res(parse_der_oid, |x| x.as_oid_val())(i)?;
             let value_start = i;
             let (i, hdr) = der_read_element_header(i)?;
-            if hdr.tag != DerTag::Set {
+            if hdr.tag() != Tag::Set {
                 return Err(Err::Error(BerError::BerTypeError));
             };
 
@@ -119,7 +117,8 @@ pub(crate) fn parse_cri_attributes(i: &[u8]) -> X509Result<Vec<X509CriAttribute>
     if i.is_empty() {
         return Ok((i, Vec::new()));
     }
-    (0..hdr.structured)
+    let constructed = if hdr.constructed() { 1 } else { 0 };
+    (0..constructed)
         .into_iter()
         .try_fold((i, Vec::new()), |(i, mut attrs), _| {
             let (rem, attr) = X509CriAttribute::from_der(i)?;

src/extensions/generalname.rs

@@ -8,7 +8,7 @@ use der_parser::error::BerError;
 use der_parser::oid::Oid;
 use nom::bytes::streaming::take;
 use nom::combinator::{all_consuming, verify};
-use nom::{Err, IResult};
+use nom::{Err, IResult, Needed};
 use std::fmt;
 
 #[derive(Clone, Debug, PartialEq)]
@@ -60,20 +60,21 @@ impl<'a> fmt::Display for GeneralName<'a> {
 
 pub(crate) fn parse_generalname<'a>(i: &'a [u8]) -> IResult<&'a [u8], GeneralName, BerError> {
     let (rest, hdr) = verify(der_read_element_header, |hdr| hdr.is_contextspecific())(i)?;
-    let len = hdr.len.primitive()?;
+    let len = hdr.length().definite()?;
     if len > rest.len() {
-        return Err(nom::Err::Failure(BerError::ObjectTooShort));
+        let needed = Needed::new(len - rest.len());
+        return Err(nom::Err::Failure(BerError::Incomplete(needed)));
     }
-    fn ia5str<'a>(i: &'a [u8], hdr: DerObjectHeader) -> Result<&'a str, Err<BerError>> {
+    fn ia5str<'a>(i: &'a [u8], hdr: Header) -> Result<&'a str, Err<BerError>> {
         // Relax constraints from RFC here: we are expecting an IA5String, but many certificates
         // are using unicode characters
-        der_read_element_content_as(i, DerTag::Utf8String, hdr.len, hdr.is_constructed(), 0)?
+        der_read_element_content_as(i, Tag::Utf8String, hdr.length(), hdr.is_constructed(), 1)?
             .1
             .as_slice()
             .and_then(|s| std::str::from_utf8(s).map_err(|_| BerError::BerValueError))
             .map_err(nom::Err::Failure)
     }
-    let name = match hdr.tag.0 {
+    let name = match hdr.tag().0 {
         0 => {
             // otherName SEQUENCE { OID, [0] explicit any defined by oid }
             let (any, oid) = parse_der_oid(rest)?;
@@ -106,10 +107,10 @@ pub(crate) fn parse_generalname<'a>(i: &'a [u8]) -> IResult<&'a [u8], GeneralNam
             // IPAddress, OctetString
             let ip = der_read_element_content_as(
                 rest,
-                DerTag::OctetString,
-                hdr.len,
+                Tag::OctetString,
+                hdr.length(),
                 hdr.is_constructed(),
-                0,
+                1,
             )?
             .1
             .as_slice()
@@ -118,13 +119,13 @@ pub(crate) fn parse_generalname<'a>(i: &'a [u8]) -> IResult<&'a [u8], GeneralNam
         }
         8 => {
             let oid =
-                der_read_element_content_as(rest, DerTag::Oid, hdr.len, hdr.is_constructed(), 0)?
+                der_read_element_content_as(rest, Tag::Oid, hdr.length(), hdr.is_constructed(), 1)?
                     .1
                     .as_oid_val()
                     .map_err(nom::Err::Failure)?;
             GeneralName::RegisteredID(oid)
         }
-        _ => return Err(Err::Failure(BerError::UnknownTag)),
+        _ => return Err(Err::Failure(BerError::unexpected_tag(None, hdr.tag()))),
     };
     Ok((&rest[len..], name))
 }

src/extensions/keyusage.rs

@@ -128,7 +128,7 @@ pub(crate) fn parse_extendedkeyusage(i: &[u8]) -> IResult<&[u8], ExtendedKeyUsag
         if !seen.insert(oid.clone()) {
             continue;
         }
-        let asn1 = oid.bytes();
+        let asn1 = oid.as_bytes();
         if asn1 == oid!(raw 2.5.29.37.0) {
             eku.any = true;
         } else if asn1 == oid!(raw 1.3.6.1.5.5.7.3.1) {

src/extensions/mod.rs

@@ -503,7 +503,7 @@ impl<'a> FromDer<'a> for IssuerAlternativeName<'a> {
 
 #[derive(Clone, Debug, PartialEq)]
 pub struct UnparsedObject<'a> {
-    pub header: DerObjectHeader<'a>,
+    pub header: Header<'a>,
     pub data: &'a [u8],
 }
 
@@ -789,11 +789,11 @@ pub(crate) mod parser {
     pub(super) fn parse_policyconstraints(i: &[u8]) -> IResult<&[u8], PolicyConstraints, BerError> {
         parse_der_sequence_defined_g(|input, _| {
             let (i, require_explicit_policy) = opt(complete(map_res(
-                parse_der_tagged_implicit(0, parse_der_content(DerTag::Integer)),
+                parse_der_tagged_implicit(0, parse_der_content(Tag::Integer)),
                 |x| x.as_u32(),
             )))(input)?;
             let (i, inhibit_policy_mapping) = all_consuming(opt(complete(map_res(
-                parse_der_tagged_implicit(1, parse_der_content(DerTag::Integer)),
+                parse_der_tagged_implicit(1, parse_der_content(Tag::Integer)),
                 |x| x.as_u32(),
             ))))(i)?;
             let policy_constraint = PolicyConstraints {
@@ -829,7 +829,7 @@ pub(crate) mod parser {
     //     nameRelativeToCRLIssuer [1]     RelativeDistinguishedName }
     fn parse_distributionpointname(i: &[u8]) -> IResult<&[u8], DistributionPointName, BerError> {
         let (rem, header) = der_read_element_header(i)?;
-        match header.tag.0 {
+        match header.tag().0 {
             0 => {
                 let (rem, names) = many1(complete(parse_generalname))(rem)?;
                 Ok((rem, DistributionPointName::FullName(names)))
@@ -854,7 +854,7 @@ pub(crate) mod parser {
     // privilegeWithdrawn      (7),
     // aACompromise            (8) }
     fn parse_tagged1_reasons(i: &[u8]) -> BerResult<ReasonFlags> {
-        let (rem, obj) = parse_der_tagged_implicit(1, parse_der_content(DerTag::BitString))(i)?;
+        let (rem, obj) = parse_der_tagged_implicit(1, parse_der_content(Tag::BitString))(i)?;
         if let DerObjectContent::BitString(_, b) = obj.content {
             let flags = b
                 .data
@@ -940,7 +940,7 @@ pub(crate) mod parser {
 
     fn parse_aki_content<'a>(
         i: &'a [u8],
-        _hdr: DerObjectHeader<'_>,
+        _hdr: Header<'_>,
     ) -> IResult<&'a [u8], AuthorityKeyIdentifier<'a>, BerError> {
         let (i, key_identifier) = opt(complete(parse_der_tagged_implicit_g(0, |d, _, _| {
             Ok((&[], KeyIdentifier(d)))
@@ -951,7 +951,7 @@ pub(crate) mod parser {
             })))(i)?;
         let (i, authority_cert_serial) = opt(complete(parse_der_tagged_implicit(
             2,
-            parse_der_content(DerTag::Integer),
+            parse_der_content(Tag::Integer),
         )))(i)?;
         let authority_cert_serial = authority_cert_serial.and_then(|o| o.as_slice().ok());
         let aki = AuthorityKeyIdentifier {
@@ -1131,14 +1131,14 @@ pub(crate) fn parse_extension_sequence(i: &[u8]) -> X509Result<Vec<X509Extension
     )
 }
 
-pub(crate) fn parse_extensions(i: &[u8], explicit_tag: DerTag) -> X509Result<Vec<X509Extension>> {
+pub(crate) fn parse_extensions(i: &[u8], explicit_tag: Tag) -> X509Result<Vec<X509Extension>> {
     if i.is_empty() {
         return Ok((i, Vec::new()));
     }
 
     match der_read_element_header(i) {
         Ok((rem, hdr)) => {
-            if hdr.tag != explicit_tag {
+            if hdr.tag() != explicit_tag {
                 return Err(Err::Error(X509Error::InvalidExtensions));
             }
             all_consuming(parse_extension_sequence)(rem)
@@ -1156,15 +1156,15 @@ pub(crate) fn parse_extension_envelope_sequence(i: &[u8]) -> X509Result<Vec<X509
 
 pub(crate) fn parse_extensions_envelope(
     i: &[u8],
-    explicit_tag: DerTag,
+    explicit_tag: Tag,
 ) -> X509Result<Vec<X509Extension>> {
     if i.is_empty() {
         return Ok((i, Vec::new()));
     }
 
     match der_read_element_header(i) {
         Ok((rem, hdr)) => {
-            if hdr.tag != explicit_tag {
+            if hdr.tag() != explicit_tag {
                 return Err(Err::Error(X509Error::InvalidExtensions));
             }
             all_consuming(parse_extension_envelope_sequence)(rem)

src/revocation_list.rs

@@ -7,7 +7,7 @@ use crate::x509::{
     parse_serial, parse_signature_value, AlgorithmIdentifier, ReasonCode, X509Name, X509Version,
 };
 
-use der_parser::ber::{BerTag, BitStringObject};
+use der_parser::ber::{BitStringObject, Tag};
 use der_parser::der::*;
 use der_parser::num_bigint::BigUint;
 use der_parser::oid::Oid;
@@ -215,7 +215,7 @@ impl<'a> FromDer<'a> for TbsCertList<'a> {
             let (i, this_update) = ASN1Time::from_der(i)?;
             let (i, next_update) = ASN1Time::from_der_opt(i)?;
             let (i, revoked_certificates) = opt(complete(parse_revoked_certificates))(i)?;
-            let (i, extensions) = parse_extensions(i, BerTag(0))?;
+            let (i, extensions) = parse_extensions(i, Tag(0))?;
             let len = start_i.offset(i);
             let tbs = TbsCertList {
                 version,