1use alloc::vec::Vec;
2use alloc::{fmt, format};
34use pki_types::{CertificateDer, TrustAnchor};
5use webpki::anchor_from_trusted_cert;
67use super::pki_error;
8use crate::log::{debug, trace};
9use crate::{DistinguishedName, Error};
1011/// A container for root certificates able to provide a root-of-trust
12/// for connection authentication.
13#[derive(Clone)]
14pub struct RootCertStore {
15/// The list of roots.
16pub roots: Vec<TrustAnchor<'static>>,
17}
1819impl RootCertStore {
20/// Make a new, empty `RootCertStore`.
21pub fn empty() -> Self {
22Self { roots: Vec::new() }
23 }
2425/// Parse the given DER-encoded certificates and add all that can be parsed
26 /// in a best-effort fashion.
27 ///
28 /// This is because large collections of root certificates often
29 /// include ancient or syntactically invalid certificates.
30 ///
31 /// Returns the number of certificates added, and the number that were ignored.
32pub fn add_parsable_certificates<'a>(
33&mut self,
34 der_certs: impl IntoIterator<Item = CertificateDer<'a>>,
35 ) -> (usize, usize) {
36let mut valid_count = 0;
37let mut invalid_count = 0;
3839for der_cert in der_certs {
40#[cfg_attr(not(feature = "logging"), allow(unused_variables))]
41match anchor_from_trusted_cert(&der_cert) {
42Ok(anchor) => {
43self.roots.push(anchor.to_owned());
44 valid_count += 1;
45 }
46Err(err) => {
47trace!("invalid cert der {:?}", der_cert.as_ref());
48debug!("certificate parsing failed: {err:?}");
49 invalid_count += 1;
50 }
51 };
52 }
5354debug!(
55"add_parsable_certificates processed {valid_count} valid and {invalid_count} invalid certs"
56);
5758 (valid_count, invalid_count)
59 }
6061/// Add a single DER-encoded certificate to the store.
62 ///
63 /// This is suitable for a small set of root certificates that are expected to parse
64 /// successfully. For large collections of roots (for example from a system store) it
65 /// is expected that some of them might not be valid according to the rules rustls
66 /// implements. As long as a relatively limited number of certificates are affected,
67 /// this should not be a cause for concern. Use [`RootCertStore::add_parsable_certificates`]
68 /// in order to add as many valid roots as possible and to understand how many certificates
69 /// have been diagnosed as malformed.
70pub fn add(&mut self, der: CertificateDer<'_>) -> Result<(), Error> {
71self.roots.push(
72 anchor_from_trusted_cert(&der)
73 .map_err(pki_error)?
74.to_owned(),
75 );
76Ok(())
77 }
7879/// Return the DER encoded [`DistinguishedName`] of each trust anchor subject in the root
80 /// cert store.
81 ///
82 /// Each [`DistinguishedName`] will be a DER-encoded X.500 distinguished name, per
83 /// [RFC 5280 A.1], including the outer `SEQUENCE`.
84 ///
85 /// [RFC 5280 A.1]: https://www.rfc-editor.org/rfc/rfc5280#appendix-A.1
86pub fn subjects(&self) -> Vec<DistinguishedName> {
87self.roots
88 .iter()
89 .map(|ta| DistinguishedName::in_sequence(ta.subject.as_ref()))
90 .collect()
91 }
9293/// Return true if there are no certificates.
94pub fn is_empty(&self) -> bool {
95self.len() == 0
96}
9798/// Say how many certificates are in the container.
99pub fn len(&self) -> usize {
100self.roots.len()
101 }
102}
103104impl FromIterator<TrustAnchor<'static>> for RootCertStore {
105fn from_iter<T: IntoIterator<Item = TrustAnchor<'static>>>(iter: T) -> Self {
106Self {
107 roots: iter.into_iter().collect(),
108 }
109 }
110}
111112impl Extend<TrustAnchor<'static>> for RootCertStore {
113fn extend<T: IntoIterator<Item = TrustAnchor<'static>>>(&mut self, iter: T) {
114self.roots.extend(iter);
115 }
116}
117118impl fmt::Debug for RootCertStore {
119fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
120 f.debug_struct("RootCertStore")
121 .field("roots", &format!("({} roots)", &self.roots.len()))
122 .finish()
123 }
124}
125126#[test]
127fn root_cert_store_debug() {
128use core::iter;
129130use pki_types::Der;
131132let ta = TrustAnchor {
133 subject: Der::from_slice(&[]),
134 subject_public_key_info: Der::from_slice(&[]),
135 name_constraints: None,
136 };
137let store = RootCertStore::from_iter(iter::repeat(ta).take(138));
138139assert_eq!(
140format!("{store:?}"),
141"RootCertStore { roots: \"(138 roots)\" }"
142);
143}