x509-cert: add Signed Certificate Timestamp (SCT) extension support (#…

…1134) Adds support for Signed Certificate Timestamp (SCT) extension[1] to the `x509-cert` crate. Since the structures in SCT extension are TLS encoded we need to add a dependency on the `tls_codec` crate. This dependency has been made optional and only enabled when the newly added `sct` feature is enabled. [1]: https://www.rfc-editor.org/rfc/rfc6962#section-3.2
RustCrypto · Dec 19, 2023 · b579ad6 · b579ad6
1 parent fdb711e
commit b579ad6
Show file tree

Hide file tree

Showing 4 changed files with 769 additions and 3 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/x509-cert/Cargo.toml b/x509-cert/Cargo.toml
@@ -23,6 +23,7 @@ spki = { version = "0.7.3", features = ["alloc"] }
 arbitrary = { version = "1.3", features = ["derive"], optional = true }
 sha1 = { version = "0.10.6", optional = true }
 signature = { version = "2.1.0", features = ["rand_core"], optional = true }
+tls_codec = { version = "0.4.0", default-features = false, features = ["derive"], optional = true }
 
 [dev-dependencies]
 hex-literal = "0.4"
@@ -37,12 +38,13 @@ x509-cert-test-support = { path = "./test-support" }
 
 [features]
 default = ["pem", "std"]
-std = ["const-oid/std", "der/std", "spki/std"]
+std = ["const-oid/std", "der/std", "spki/std", "tls_codec?/std"]
 
 arbitrary = ["dep:arbitrary", "std", "der/arbitrary", "spki/arbitrary"]
 builder = ["std", "sha1/default", "signature"]
 hazmat = []
 pem = ["der/pem", "spki/pem"]
+sct = ["dep:tls_codec"]
 
 [package.metadata.docs.rs]
 all-features = true

diff --git a/x509-cert/src/ext/pkix.rs b/x509-cert/src/ext/pkix.rs
@@ -9,6 +9,8 @@ mod access;
 mod authkeyid;
 mod keyusage;
 mod policymap;
+#[cfg(feature = "sct")]
+pub mod sct;
 
 use crate::attr::AttributeTypeAndValue;
 
@@ -24,6 +26,12 @@ pub use crl::{
 pub use keyusage::{ExtendedKeyUsage, KeyUsage, KeyUsages, PrivateKeyUsagePeriod};
 pub use policymap::{PolicyMapping, PolicyMappings};
 
+#[cfg(feature = "sct")]
+pub use sct::{
+    Error, HashAlgorithm, SerializedSct, SignatureAlgorithm, SignatureAndHashAlgorithm,
+    SignedCertificateTimestamp, SignedCertificateTimestampList, Version,
+};
+
 pub use const_oid::db::rfc5280::{
     ID_CE_INHIBIT_ANY_POLICY, ID_CE_ISSUER_ALT_NAME, ID_CE_SUBJECT_ALT_NAME,
     ID_CE_SUBJECT_DIRECTORY_ATTRIBUTES, ID_CE_SUBJECT_KEY_IDENTIFIER,