RustCrypto · tarcieri · Mar 10, 2022 · Mar 4, 2022
diff --git a/x509/src/attr.rs b/x509/src/attr.rs
@@ -1,7 +1,11 @@
 //! Attribute-related definitions as defined in X.501 (and updated by RFC 5280).
 
+use alloc::vec::Vec;
+use core::fmt::{self, Write};
+
+use const_oid::db::DB;
 use der::asn1::{Any, ObjectIdentifier, SetOfVec};
-use der::{Decodable, Sequence, ValueOrd};
+use der::{Decodable, Encodable, Error, ErrorKind, Sequence, Tag, Tagged, ValueOrd};
 
 /// X.501 `AttributeType` as defined in [RFC 5280 Appendix A.1].
 ///
@@ -51,7 +55,7 @@ pub struct Attribute<'a> {
 }
 
 impl<'a> TryFrom<&'a [u8]> for Attribute<'a> {
-    type Error = der::Error;
+    type Error = Error;
 
     fn try_from(bytes: &'a [u8]) -> Result<Self, Self::Error> {
         Self::from_der(bytes)
@@ -83,3 +87,164 @@ pub struct AttributeTypeAndValue<'a> {
     pub oid: AttributeType,
     pub value: Any<'a>,
 }
+
+#[derive(Copy, Clone)]
+enum Escape {
+    None,
+    Some,
+    Hex(u8),
+}
+
+struct Parser {
+    state: Escape,
+    bytes: Vec<u8>,
+}
+
+impl Parser {
+    pub fn new() -> Self {
+        Self {
+            state: Escape::None,
+            bytes: Vec::new(),
+        }
+    }
+
+    fn push(&mut self, c: u8) {
+        self.state = Escape::None;
+        self.bytes.push(c);
+    }
+
+    pub fn add(&mut self, c: u8) -> Result<(), Error> {
+        match (self.state, c) {
+            (Escape::Hex(p), b'0'..=b'9') => self.push(p | (c - b'0')),
+            (Escape::Hex(p), b'a'..=b'f') => self.push(p | (c - b'a' + 10)),
+            (Escape::Hex(p), b'A'..=b'F') => self.push(p | (c - b'A' + 10)),
+
+            (Escape::Some, b'0'..=b'9') => self.state = Escape::Hex((c - b'0') << 4),
+            (Escape::Some, b'a'..=b'f') => self.state = Escape::Hex((c - b'a' + 10) << 4),
+            (Escape::Some, b'A'..=b'F') => self.state = Escape::Hex((c - b'A' + 10) << 4),
+
+            (Escape::Some, b' ' | b'"' | b'#' | b'=' | b'\\') => self.push(c),
+            (Escape::Some, b'+' | b',' | b';' | b'<' | b'>') => self.push(c),
+
+            (Escape::None, b'\\') => self.state = Escape::Some,
+            (Escape::None, ..) => self.push(c),
+
+            _ => return Err(ErrorKind::Failed.into()),
+        }
+
+        Ok(())
+    }
+
+    pub fn as_bytes(&self) -> &[u8] {
+        &self.bytes
+    }
+}
+
+impl AttributeTypeAndValue<'_> {
+    /// Parses the hex value in the `OID=#HEX` format.
+    fn encode_hex(oid: ObjectIdentifier, val: &str) -> Result<Vec<u8>, Error> {
+        // Ensure an even number of hex bytes.
+        let mut iter = match val.len() % 2 {
+            0 => [].iter().cloned().chain(val.bytes()),
+            1 => [0u8].iter().cloned().chain(val.bytes()),
+            _ => unreachable!(),
+        };
+
+        // Decode der bytes from hex.
+        let mut bytes = Vec::with_capacity((val.len() + 1) / 2);
+        while let (Some(h), Some(l)) = (iter.next(), iter.next()) {
+            let mut byte = 0u8;
+
+            for (half, shift) in [(h, 4), (l, 0)] {
+                match half {
+                    b'0'..=b'9' => byte |= (half - b'0') << shift,
+                    b'a'..=b'f' => byte |= (half - b'a' + 10) << shift,
+                    b'A'..=b'F' => byte |= (half - b'A' + 10) << shift,
+                    _ => return Err(ErrorKind::Failed.into()),
+                }
+            }
+
+            bytes.push(byte);
+        }
+
+        // Serialize.
+        let value = Any::from_der(&bytes)?;
+        let atv = AttributeTypeAndValue { oid, value };
+        atv.to_vec()
+    }
+
+    /// Parses the string value in the `NAME=STRING` format.
+    fn encode_str(oid: ObjectIdentifier, val: &str) -> Result<Vec<u8>, Error> {
+        // Undo escaping.
+        let mut parser = Parser::new();
+        for c in val.bytes() {
+            parser.add(c)?;
+        }
+
+        // Serialize.
+        let value = Any::new(Tag::Utf8String, parser.as_bytes())?;
+        let atv = AttributeTypeAndValue { oid, value };
+        atv.to_vec()
+    }
+
+    /// Converts an AttributeTypeAndValue string into an encoded AttributeTypeAndValue
+    ///
+    /// This function follows the rules in [RFC 4514].
+    ///
+    /// [RFC 4514]: https://datatracker.ietf.org/doc/html/rfc4514
+    pub fn encode_from_string(s: &str) -> Result<Vec<u8>, Error> {
+        let idx = s.find('=').ok_or_else(|| Error::from(ErrorKind::Failed))?;
+        let (key, val) = s.split_at(idx);
+        let val = &val[1..];
+
+        // Either decode or lookup the OID for the given key.
+        let oid = match DB.by_name(key) {
+            Some(oid) => *oid,
+            None => ObjectIdentifier::new(key)?,
+        };
+
+        // If the value is hex-encoded DER...
+        match val.strip_prefix('#') {
+            Some(val) => Self::encode_hex(oid, val),
+            None => Self::encode_str(oid, val),
+        }
+    }
+}
+
+/// Serializes the structure according to the rules in [RFC 4514].
+///
+/// [RFC 4514]: https://datatracker.ietf.org/doc/html/rfc4514
+impl fmt::Display for AttributeTypeAndValue<'_> {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        let val = match self.value.tag() {
+            Tag::PrintableString => self.value.printable_string().ok().map(|s| s.as_str()),
+            Tag::Utf8String => self.value.utf8_string().ok().map(|s| s.as_str()),
+            Tag::Ia5String => self.value.ia5_string().ok().map(|s| s.as_str()),
+            _ => None,
+        };
+
+        if let (Some(key), Some(val)) = (DB.by_oid(&self.oid), val) {
+            write!(f, "{}=", key.to_ascii_uppercase())?;
+
+            let mut iter = val.char_indices().peekable();
+            while let Some((i, c)) = iter.next() {
+                match c {
+                    '#' if i == 0 => write!(f, "\\#")?,
+                    ' ' if i == 0 || iter.peek().is_none() => write!(f, "\\ ")?,
+                    '"' | '+' | ',' | ';' | '<' | '>' | '\\' => write!(f, "\\{}", c)?,
+                    '\x00'..='\x1f' | '\x7f' => write!(f, "\\{:02x}", c as u8)?,
+                    _ => f.write_char(c)?,
+                }
+            }
+        } else {
+            let value = self.value.to_vec().or(Err(fmt::Error))?;
+
+            write!(f, "{}=#", self.oid)?;
+            for c in value {
+                write!(f, "{:02x}", c)?;
+            }
+        }
+
+        Ok(())
+    }
+}
diff --git a/x509/src/name.rs b/x509/src/name.rs
@@ -1,8 +1,10 @@
 //! Name-related definitions as defined in X.501 (and updated by RFC 5280).
 
+use alloc::vec::Vec;
+
 use crate::attr::AttributeTypeAndValue;
 
-use der::asn1::SetOfVec;
+use der::{asn1::SetOfVec, Decodable, Encodable, Newtype};
 
 /// X.501 Name as defined in [RFC 5280 Section 4.1.2.4]. X.501 Name is used to represent distinguished names.
 ///
@@ -20,7 +22,73 @@ pub type Name<'a> = RdnSequence<'a>;
 /// ```
 ///
 /// [RFC 5280 Section 4.1.2.4]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.4
-pub type RdnSequence<'a> = alloc::vec::Vec<RelativeDistinguishedName<'a>>;
+#[derive(Clone, Debug, Default, PartialEq, Eq, Newtype)]
+pub struct RdnSequence<'a>(pub Vec<RelativeDistinguishedName<'a>>);
+
+/// Find the indices of all non-escaped separators.
+fn find(s: &str, b: u8) -> impl '_ + Iterator<Item = usize> {
+    (0..s.len())
+        .filter(move |i| s.as_bytes()[*i] == b)
+        .filter(|i| {
+            let x = i
+                .checked_sub(2)
+                .map(|i| s.as_bytes()[i])
+                .unwrap_or_default();
+
+            let y = i
+                .checked_sub(1)
+                .map(|i| s.as_bytes()[i])
+                .unwrap_or_default();
+
+            y != b'\\' || x == b'\\'
+        })
+}
+
+/// Split a string at all non-escaped separators.
+fn split(s: &str, b: u8) -> impl '_ + Iterator<Item = &'_ str> {
+    let mut prev = 0;
+    find(s, b).chain([s.len()].into_iter()).map(move |i| {
+        let x = &s[prev..i];
+        prev = i + 1;
+        x
+    })
+}
+
+impl RdnSequence<'_> {
+    /// Converts an RDNSequence string into an encoded RDNSequence
+    ///
+    /// This function follows the rules in [RFC 4514].
+    ///
+    /// [RFC 4514]: https://datatracker.ietf.org/doc/html/rfc4514
+    pub fn encode_from_string(s: &str) -> Result<Vec<u8>, der::Error> {
+        let ders = split(s, b',')
+            .map(RelativeDistinguishedName::encode_from_string)
+            .collect::<Result<Vec<_>, der::Error>>()?;
+
+        let mut out = Vec::new();
+        for der in ders.iter() {
+            out.push(RelativeDistinguishedName::from_der(der)?);
+        }
+
+        RdnSequence(out).to_vec()
+    }
+}
+
+/// Serializes the structure according to the rules in [RFC 4514].
+///
+/// [RFC 4514]: https://datatracker.ietf.org/doc/html/rfc4514
+impl core::fmt::Display for RdnSequence<'_> {
+    fn fmt(&self, f: &mut core::fmt::Formatter<'_>) -> core::fmt::Result {
+        for (i, atv) in self.0.iter().enumerate() {
+            match i {
+                0 => write!(f, "{}", atv)?,
+                _ => write!(f, ",{}", atv)?,
+            }
+        }
+
+        Ok(())
+    }
+}
 
 /// X.501 DistinguishedName as defined in [RFC 5280 Section 4.1.2.4].
 ///
@@ -55,4 +123,41 @@ pub type DistinguishedName<'a> = RdnSequence<'a>;
 /// ```
 ///
 /// [RFC 5280 Section 4.1.2.4]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.4
-pub type RelativeDistinguishedName<'a> = SetOfVec<AttributeTypeAndValue<'a>>;
+#[derive(Clone, Debug, Default, PartialEq, Eq, Newtype)]
+pub struct RelativeDistinguishedName<'a>(pub SetOfVec<AttributeTypeAndValue<'a>>);
+
+impl RelativeDistinguishedName<'_> {
+    /// Converts an RelativeDistinguishedName string into an encoded RelativeDistinguishedName
+    ///
+    /// This function follows the rules in [RFC 4514].
+    ///
+    /// [RFC 4514]: https://datatracker.ietf.org/doc/html/rfc4514
+    pub fn encode_from_string(s: &str) -> Result<Vec<u8>, der::Error> {
+        let ders = split(s, b'+')
+            .map(AttributeTypeAndValue::encode_from_string)
+            .collect::<Result<Vec<_>, der::Error>>()?;
+
+        let atvs = ders
+            .iter()
+            .map(|der| AttributeTypeAndValue::from_der(der))
+            .collect::<Result<Vec<_>, der::Error>>()?;
+
+        RelativeDistinguishedName(atvs.try_into()?).to_vec()
+    }
+}
+
+/// Serializes the structure according to the rules in [RFC 4514].
+///
+/// [RFC 4514]: https://datatracker.ietf.org/doc/html/rfc4514
+impl core::fmt::Display for RelativeDistinguishedName<'_> {
+    fn fmt(&self, f: &mut core::fmt::Formatter<'_>) -> core::fmt::Result {
+        for (i, atv) in self.0.iter().enumerate() {
+            match i {
+                0 => write!(f, "{}", atv)?,
+                _ => write!(f, "+{}", atv)?,
+            }
+        }
+
+        Ok(())
+    }
+}
diff --git a/x509/tests/certificate.rs b/x509/tests/certificate.rs
@@ -218,9 +218,9 @@ fn decode_cert() {
     );
 
     let mut counter = 0;
-    let i = cert.tbs_certificate.issuer.iter();
+    let i = cert.tbs_certificate.issuer.0.iter();
     for rdn in i {
-        let i1 = rdn.iter();
+        let i1 = rdn.0.iter();
         for atav in i1 {
             if 0 == counter {
                 assert_eq!(atav.oid.to_string(), "2.5.4.6");
@@ -263,9 +263,9 @@ fn decode_cert() {
     );
 
     counter = 0;
-    let i = cert.tbs_certificate.subject.iter();
+    let i = cert.tbs_certificate.subject.0.iter();
     for rdn in i {
-        let i1 = rdn.iter();
+        let i1 = rdn.0.iter();
         for atav in i1 {
             // Yes, this cert features RDNs encoded in reverse order
             if 0 == counter {

diff --git a/x509/tests/certreq.rs b/x509/tests/certreq.rs
@@ -34,17 +34,17 @@ fn decode_rsa_2048_der() {
     assert_eq!(cr.info.version, Version::V1);
 
     // Check all the RDNs.
-    assert_eq!(cr.info.subject.len(), NAMES.len());
-    for (name, (oid, val)) in cr.info.subject.iter().zip(NAMES) {
-        let kind = name.get(0).unwrap();
+    assert_eq!(cr.info.subject.0.len(), NAMES.len());
+    for (name, (oid, val)) in cr.info.subject.0.iter().zip(NAMES) {
+        let kind = name.0.get(0).unwrap();
         let value = match kind.value.tag() {
             Tag::Utf8String => kind.value.utf8_string().unwrap().as_str(),
             Tag::PrintableString => kind.value.printable_string().unwrap().as_str(),
             _ => panic!("unexpected tag"),
         };
 
         assert_eq!(kind.oid, oid.parse().unwrap());
-        assert_eq!(name.len(), 1);
+        assert_eq!(name.0.len(), 1);
         assert_eq!(value, *val);
     }