feat: Review c2pa-crypto crate API (#813)

Author: scouten-adobe

internal/crypto/src/asn1/rfc3161.rs

@@ -24,11 +24,6 @@ use crate::asn1::{rfc4210::PkiFreeText, rfc5652::ContentInfo};
 /// 1.2.840.113549.1.9.16.1.4
 pub const OID_CONTENT_TYPE_TST_INFO: ConstOid = Oid(&[42, 134, 72, 134, 247, 13, 1, 9, 16, 1, 4]);
 
-/// id-aa-timeStampToken
-///
-/// 1.2.840.113549.1.9.16.2.14
-pub const OID_TIME_STAMP_TOKEN: ConstOid = Oid(&[42, 134, 72, 134, 247, 13, 1, 9, 16, 2, 14]);
-
 /// A time-stamp request.
 ///
 /// ```ASN.1
@@ -53,6 +48,7 @@ pub struct TimeStampReq {
 }
 
 impl TimeStampReq {
+    #[allow(dead_code)] // not used on all platforms
     pub fn take_from<S: Source>(cons: &mut Constructed<S>) -> Result<Self, DecodeError<S::Error>> {
         cons.take_sequence(|cons| {
             let version = Integer::take_from(cons)?;
@@ -149,17 +145,6 @@ impl TimeStampResp {
             })
         })
     }
-
-    pub fn encode_ref(&self) -> impl Values + '_ {
-        encode::sequence((
-            self.status.encode_ref(),
-            if let Some(time_stamp_token) = &self.time_stamp_token {
-                Some(time_stamp_token)
-            } else {
-                None
-            },
-        ))
-    }
 }
 
 /// PKI status info
@@ -191,16 +176,6 @@ impl PkiStatusInfo {
             })
         })
     }
-
-    pub fn encode_ref(&self) -> impl Values + '_ {
-        encode::sequence((
-            self.status.encode(),
-            self.status_string
-                .as_ref()
-                .map(|status_string| status_string.encode_ref()),
-            self.fail_info.as_ref().map(|fail_info| fail_info.encode()),
-        ))
-    }
 }
 
 /// PKI status.

internal/crypto/src/asn1/rfc3281.rs

@@ -79,6 +79,7 @@ impl AttributeCertificateInfo {
 }
 
 #[derive(Clone, Copy, Debug, Eq, PartialEq)]
+#[allow(unused)]
 pub enum AttCertVersion {
     V2 = 1,
 }
@@ -104,6 +105,7 @@ pub struct Holder {
 }
 
 #[derive(Clone, Debug, Eq, PartialEq)]
+#[allow(unused)]
 pub enum DigestedObjectType {
     PublicKey = 0,
     PublicKeyCert = 1,
@@ -142,6 +144,7 @@ pub struct ObjectDigestInfo {
 /// }
 /// ```
 #[derive(Clone, Debug, Eq, PartialEq)]
+#[allow(unused)]
 pub enum AttCertIssuer {
     V1Form(GeneralNames),
     V2Form(Box<V2Form>),

internal/crypto/src/asn1/rfc4210.rs

@@ -8,7 +8,6 @@
 
 use bcder::{
     decode::{Constructed, DecodeError, Source},
-    encode::{self, Values},
     Tag, Utf8String,
 };
 
@@ -27,10 +26,6 @@ impl PkiFreeText {
         cons.take_opt_sequence(|cons| Self::from_sequence(cons))
     }
 
-    pub fn take_from<S: Source>(cons: &mut Constructed<S>) -> Result<Self, DecodeError<S::Error>> {
-        cons.take_sequence(|cons| Self::from_sequence(cons))
-    }
-
     pub fn from_sequence<S: Source>(
         cons: &mut Constructed<S>,
     ) -> Result<Self, DecodeError<S::Error>> {
@@ -44,8 +39,4 @@ impl PkiFreeText {
 
         Ok(Self(res))
     }
-
-    pub fn encode_ref(&self) -> impl Values + '_ {
-        encode::sequence(encode::slice(&self.0, |x| x.clone().encode()))
-    }
 }

internal/crypto/src/asn1/rfc5652.rs

@@ -29,43 +29,11 @@ use x509_certificate::{asn1time::*, rfc3280::*, rfc5280::*, rfc5652::*};
 
 use crate::asn1::rfc3281::AttributeCertificate;
 
-/// The data content type.
-///
-/// `id-data` in the specification.
-///
-/// 1.2.840.113549.1.7.1
-pub const OID_ID_DATA: ConstOid = Oid(&[42, 134, 72, 134, 247, 13, 1, 7, 1]);
-
 /// The signed-data content type.
 ///
 /// 1.2.840.113549.1.7.2
 pub const OID_ID_SIGNED_DATA: ConstOid = Oid(&[42, 134, 72, 134, 247, 13, 1, 7, 2]);
 
-/// Enveloped data content type.
-///
-/// 1.2.840.113549.1.7.3
-pub const OID_ENVELOPE_DATA: ConstOid = Oid(&[42, 134, 72, 134, 247, 13, 1, 7, 3]);
-
-/// Digested-data content type.
-///
-/// 1.2.840.113549.1.7.5
-pub const OID_DIGESTED_DATA: ConstOid = Oid(&[42, 134, 72, 134, 247, 13, 1, 7, 5]);
-
-/// Encrypted-data content type.
-///
-/// 1.2.840.113549.1.7.6
-pub const OID_ENCRYPTED_DATA: ConstOid = Oid(&[42, 134, 72, 134, 247, 13, 1, 7, 6]);
-
-/// Authenticated-data content type.
-///
-/// 1.2.840.113549.1.9.16.1.2
-pub const OID_AUTHENTICATED_DATA: ConstOid = Oid(&[42, 134, 72, 134, 247, 13, 1, 9, 16, 1, 2]);
-
-/// Identifies the content-type attribute.
-///
-/// 1.2.840.113549.1.9.3
-pub const OID_CONTENT_TYPE: ConstOid = Oid(&[42, 134, 72, 134, 247, 13, 1, 9, 3]);
-
 /// Identifies the message-digest attribute.
 ///
 /// 1.2.840.113549.1.9.4
@@ -76,11 +44,6 @@ pub const OID_MESSAGE_DIGEST: ConstOid = Oid(&[42, 134, 72, 134, 247, 13, 1, 9,
 /// 1.2.840.113549.1.9.5
 pub const OID_SIGNING_TIME: ConstOid = Oid(&[42, 134, 72, 134, 247, 13, 1, 9, 5]);
 
-/// Identifies the countersignature attribute.
-///
-/// 1.2.840.113549.1.9.6
-pub const OID_COUNTER_SIGNATURE: ConstOid = Oid(&[42, 134, 72, 134, 247, 13, 1, 9, 6]);
-
 /// Content info.
 ///
 /// ```ASN.1
@@ -158,23 +121,6 @@ pub struct SignedData {
 }
 
 impl SignedData {
-    /// Attempt to decode BER encoded bytes to a parsed data structure.
-    pub fn decode_ber(data: &[u8]) -> Result<Self, DecodeError<std::convert::Infallible>> {
-        Constructed::decode(data, bcder::Mode::Ber, Self::decode)
-    }
-
-    pub fn decode<S: Source>(cons: &mut Constructed<S>) -> Result<Self, DecodeError<S::Error>> {
-        cons.take_sequence(|cons| {
-            let oid = Oid::take_from(cons)?;
-
-            if oid != OID_ID_SIGNED_DATA {
-                return Err(cons.content_err("expected signed data OID"));
-            }
-
-            cons.take_constructed_if(Tag::CTX_0, Self::take_from)
-        })
-    }
-
     pub fn take_from<S: Source>(cons: &mut Constructed<S>) -> Result<Self, DecodeError<S::Error>> {
         cons.take_sequence(|cons| {
             let version = CmsVersion::take_from(cons)?;
@@ -197,25 +143,6 @@ impl SignedData {
             })
         })
     }
-
-    pub fn encode_ref(&self) -> impl Values + '_ {
-        encode::sequence((
-            OID_ID_SIGNED_DATA.encode_ref(),
-            encode::sequence_as(
-                Tag::CTX_0,
-                encode::sequence((
-                    self.version.encode(),
-                    self.digest_algorithms.encode_ref(),
-                    self.content_info.encode_ref(),
-                    self.certificates
-                        .as_ref()
-                        .map(|certs| certs.encode_ref_as(Tag::CTX_0)),
-                    // TODO crls.
-                    self.signer_infos.encode_ref(),
-                )),
-            ),
-        ))
-    }
 }
 
 /// Digest algorithm identifiers.
@@ -252,10 +179,6 @@ impl DigestAlgorithmIdentifiers {
             Ok(Self(identifiers))
         })
     }
-
-    pub fn encode_ref(&self) -> impl Values + '_ {
-        encode::set(&self.0)
-    }
 }
 
 pub type DigestAlgorithmIdentifier = AlgorithmIdentifier;
@@ -294,10 +217,6 @@ impl SignerInfos {
             Ok(Self(infos))
         })
     }
-
-    pub fn encode_ref(&self) -> impl Values + '_ {
-        encode::set(&self.0)
-    }
 }
 
 /// Encapsulated content info.
@@ -343,15 +262,6 @@ impl EncapsulatedContentInfo {
             })
         })
     }
-
-    pub fn encode_ref(&self) -> impl Values + '_ {
-        encode::sequence((
-            self.content_type.encode_ref(),
-            self.content
-                .as_ref()
-                .map(|content| encode::sequence_as(Tag::CTX_0, content.encode_ref())),
-        ))
-    }
 }
 
 /// Per-signer information.
@@ -647,10 +557,6 @@ impl DerefMut for SignedAttributes {
 }
 
 impl SignedAttributes {
-    pub fn take_from<S: Source>(cons: &mut Constructed<S>) -> Result<Self, DecodeError<S::Error>> {
-        cons.take_set(|cons| Self::take_from_set(cons))
-    }
-
     pub fn take_from_set<S: Source>(
         cons: &mut Constructed<S>,
     ) -> Result<Self, DecodeError<S::Error>> {
@@ -759,10 +665,6 @@ impl DerefMut for UnsignedAttributes {
 }
 
 impl UnsignedAttributes {
-    pub fn take_from<S: Source>(cons: &mut Constructed<S>) -> Result<Self, DecodeError<S::Error>> {
-        cons.take_set(|cons| Self::take_from_set(cons))
-    }
-
     pub fn take_from_set<S: Source>(
         cons: &mut Constructed<S>,
     ) -> Result<Self, DecodeError<S::Error>> {
@@ -846,6 +748,8 @@ pub type UnprotectedAttributes = Vec<Attribute>;
 ///   ori [4] OtherRecipientInfo }
 /// ```
 #[derive(Clone, Debug, Eq, PartialEq)]
+#[allow(unused)]
+#[allow(clippy::enum_variant_names)]
 pub enum RecipientInfo {
     KeyTransRecipientInfo(KeyTransRecipientInfo),
     KeyAgreeRecipientInfo(KeyAgreeRecipientInfo),
@@ -881,6 +785,7 @@ pub struct KeyTransRecipientInfo {
 ///   subjectKeyIdentifier [0] SubjectKeyIdentifier }
 /// ```
 #[derive(Clone, Debug, Eq, PartialEq)]
+#[allow(unused)]
 pub enum RecipientIdentifier {
     IssuerAndSerialNumber(IssuerAndSerialNumber),
     SubjectKeyIdentifier(SubjectKeyIdentifier),
@@ -914,6 +819,7 @@ pub struct KeyAgreeRecipientInfo {
 ///   originatorKey [1] OriginatorPublicKey }
 /// ```
 #[derive(Clone, Debug, Eq, PartialEq)]
+#[allow(unused)]
 pub enum OriginatorIdentifierOrKey {
     IssuerAndSerialNumber(IssuerAndSerialNumber),
     SubjectKeyIdentifier(SubjectKeyIdentifier),
@@ -957,6 +863,7 @@ pub struct RecipientEncryptedKey {
 ///   rKeyId [0] IMPLICIT RecipientKeyIdentifier }
 /// ```
 #[derive(Clone, Debug, Eq, PartialEq)]
+#[allow(unused)]
 pub enum KeyAgreeRecipientIdentifier {
     IssuerAndSerialNumber(IssuerAndSerialNumber),
     RKeyId(RecipientKeyIdentifier),
@@ -1135,6 +1042,7 @@ impl RevocationInfoChoices {
 ///   other [1] IMPLICIT OtherRevocationInfoFormat }
 /// ```
 #[derive(Clone, Debug, Eq, PartialEq)]
+#[allow(unused)]
 pub enum RevocationInfoChoice {
     Crl(Box<CertificateList>),
     Other(OtherRevocationInfoFormat),
@@ -1268,10 +1176,6 @@ impl CertificateSet {
 
         Ok(Self(certs))
     }
-
-    pub fn encode_ref_as(&self, tag: Tag) -> impl Values + '_ {
-        encode::set_as(tag, &self.0)
-    }
 }
 
 /// Issuer and serial number.
@@ -1372,10 +1276,6 @@ pub struct OtherKeyAttribute {
 
 pub type ContentType = Oid;
 
-pub type MessageDigest = OctetString;
-
-pub type SigningTime = Time;
-
 /// Time variant.
 ///
 /// ```ASN.1
@@ -1416,6 +1316,4 @@ impl From<Time> for chrono::DateTime<chrono::Utc> {
     }
 }
 
-pub type CounterSignature = SignerInfo;
-
 pub type AttributeCertificateV2 = AttributeCertificate;

internal/crypto/src/cose/mod.rs

@@ -39,14 +39,16 @@ pub use sign1::{
 };
 
 mod sigtst;
-pub use sigtst::{
-    add_sigtst_header, add_sigtst_header_async, cose_countersign_data, parse_and_validate_sigtst,
-    parse_and_validate_sigtst_async, TstToken,
+pub(crate) use sigtst::{
+    add_sigtst_header, add_sigtst_header_async, validate_cose_tst_info,
+    validate_cose_tst_info_async,
 };
-pub(crate) use sigtst::{validate_cose_tst_info, validate_cose_tst_info_async};
 
 mod time_stamp_storage;
 pub use time_stamp_storage::TimeStampStorage;
 
+mod validation_info;
+pub use validation_info::ValidationInfo;
+
 mod verifier;
 pub use verifier::Verifier;

internal/crypto/src/cose/ocsp.rs

@@ -27,8 +27,6 @@ use crate::{
 
 /// Given a COSE signature, extract the OCSP data and validate the status of
 /// that report.
-///
-/// TO DO: Determine if this needs to remain fully public after refactoring.
 #[async_generic]
 pub fn check_ocsp_status(
     sign1: &CoseSign1,

internal/crypto/src/cose/sign.rs

@@ -23,8 +23,7 @@ use serde_bytes::ByteBuf;
 use crate::{
     cose::{add_sigtst_header, add_sigtst_header_async, CoseError, TimeStampStorage},
     p1363::{der_to_p1363, parse_ec_der_sig},
-    raw_signature::{AsyncRawSigner, RawSigner},
-    SigningAlg,
+    raw_signature::{AsyncRawSigner, RawSigner, SigningAlg},
 };
 
 /// Given an arbitrary block of data and a [`RawSigner`] or [`AsyncRawSigner`]