feat(xmldsig): parse X509Certificate with x509-parser#53
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Plus Run ID: 📒 Files selected for processing (1)
📝 WalkthroughSummary by CodeRabbitRelease Notes
WalkthroughAdds strict DER parsing of ChangesX.509 Certificate Parsing
Estimated code review effort🎯 4 (Complex) | ⏱️ ~45 minutes Possibly related PRs
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Pull request overview
This PR enhances XMLDSig <KeyInfo>/<X509Data> parsing by decoding <X509Certificate> DER bytes with x509-parser, extracting certificate metadata (DNs, SKI) and public key details while preserving metadata for unsupported key algorithms instead of failing the whole parse.
Changes:
- Add
ParsedX509CertificateandX509PublicKeyInfotypes and store parsed certificate metadata inX509DataInfo. - Parse
<X509Certificate>DER usingx509-parserand extract subject/issuer DN, SKI, and SPKI key info (RSA/EC/Unsupported). - Update tests to use a real PEM fixture certificate and add an invalid-DER regression test.
- parse <X509Certificate> DER with x509-parser and extract subject/issuer DN, SKI, and SPKI key metadata - keep unsupported SPKI algorithms as parsed metadata instead of hard parse failure - extend KeyInfo/X509Data tests to use real fixture cert DER and cover invalid DER rejection
- move add_x509_data_usage call before parse_x509_certificate in X509Certificate branch - reject oversized X509Data aggregate before expensive DER/X.509 parsing
a591d4c to
89b6536
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@src/xmldsig/parse.rs`:
- Around line 186-188: Add a clear doc comment documenting the parallel-array
invariant between the certificates and parsed_certificates fields: state that
both Vecs have equal length and that entries at the same index correspond to the
same certificate and its parsed representation. Put this comment near the struct
definition (above the struct or above both fields) referencing the field names
certificates and parsed_certificates and the ParsedX509Certificate type so
future maintainers know they must be updated together.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: a3ab81db-0d88-42cc-bf29-948df54746ae
📒 Files selected for processing (1)
src/xmldsig/parse.rs
- document 1:1 index correspondence between certificates and parsed_certificates
- treat EC SPKI params that are present but non-OID as unsupported key algorithm - keep missing EC params as InvalidStructure - add regression test for unsupported SPKI algorithm marker using merlin x509 fixture
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@src/xmldsig/parse.rs`:
- Around line 1383-1409: Update the test
parse_key_info_marks_unsupported_spki_algorithm_as_unsupported to assert the
preserved metadata on the unsupported public key instead of only checking the
Unsupported variant: after locating parsed_certificates[0] (from parse_key_info
/ KeyInfoSource::X509Data), assert that its X509PublicKeyInfo::Unsupported
contains the preserved fields (subject_dn, issuer_dn, and ski) and that they are
Some/contain the expected values (or non-empty) so the parser must retain those
values when returning Unsupported; adjust the match on
parsed_certificates[0].public_key to bind the Unsupported struct and add
assertions for subject_dn, issuer_dn, and ski.
- Around line 1370-1381: Add a regression test alongside
parse_key_info_rejects_x509_certificate_with_invalid_der that constructs a valid
DER X.509 fixture, base64-encodes it, appends a few extra bytes to the DER
payload (so X509Certificate::from_der returns Ok((_, rest)) with non-empty
rest), embeds that string into the same KeyInfo XML, calls
parse_key_info(doc.root_element()), and asserts it returns
Err(ParseError::InvalidStructure(_)); this ensures the parser branch in
parse_key_info that rejects non-empty rest after X509Certificate::from_der
cannot regress silently.
- Around line 219-224: The doc for X509PublicKeyInfo::Ec promises "uncompressed
point bytes" but code (parse.rs, X509PublicKeyInfo::Ec) currently accepts any
SEC1 encoding; either enforce the uncompressed form by validating the
public_key's first byte == 0x04 when constructing/parsing the Ec variant and
return an error if not, or change the field docstring to "encoded point bytes"
to reflect that compressed forms (0x02/0x03) are allowed; update the
constructor/parser that produces X509PublicKeyInfo::Ec and the doc comment on
the Ec variant accordingly so docs and behavior match.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 7cf663fe-b6b4-4240-9bc1-0fca6a672c52
📒 Files selected for processing (1)
src/xmldsig/parse.rs
|
@polaz are you planning on merging this one? |
ofc |
Summary
Verification