feat(pki): Verify&Load submit request

Closes #11322

Author: FirelightFlagboy

libparsec/crates/platform_pki/examples/verify_certificate.rs

@@ -26,7 +26,7 @@ pub fn main() -> anyhow::Result<()> {
         .context("Cannot get certificate")?;
 
     let end_cert = untrusted_certificate
-        .into_end_certificate()
+        .to_end_certificate()
         .context("Invalid certificate")?;
     println!("Untrusted certificate: {}", utils::display_cert(&end_cert));
 

libparsec/crates/platform_pki/examples/verify_message.rs

@@ -44,7 +44,10 @@ fn main() -> anyhow::Result<()> {
         message: data,
     };
 
-    match verify_message(&signed_message, cert) {
+    match verify_message(
+        &signed_message,
+        &cert.to_end_certificate().context("Invalid certificate")?,
+    ) {
         Ok(_) => {
             println!("The message as a correct signature")
         }

libparsec/crates/platform_pki/src/errors.rs

@@ -33,7 +33,7 @@ error_set::error_set! {
         #[display("Invalid certificate: {0}")]
         InvalidCertificateDer(webpki::Error),
     }
-    VerifySignatureError := InvalidCertificateDer || {
+    VerifySignatureError := {
         #[display("Invalid signature for the given message and certificate")]
         InvalidSignature,
         #[display("Unexpected signature will verifying signature of a message: {0}")]
@@ -50,4 +50,12 @@ error_set::error_set! {
         #[display("The provided certificate cannot be trusted: {0}")]
         Untrusted(webpki::Error),
     }
+    ValidatePayloadError := InvalidCertificateDer
+        || ListTrustedRootCertificatesError
+        || VerifyCertificateError
+        || VerifySignatureError
+    DataError := {
+        DataError(libparsec_types::DataError)
+    }
+    LoadSubmitPayloadError := ValidatePayloadError || DataError
 }

libparsec/crates/platform_pki/src/lib.rs

@@ -179,3 +179,6 @@ pub use platform::is_available;
 
 pub use errors::VerifyCertificateError;
 pub use shared::verify_certificate;
+
+pub use errors::LoadSubmitPayloadError;
+pub use shared::load_submit_payload;

libparsec/crates/platform_pki/src/shared/mod.rs

@@ -4,7 +4,9 @@ mod signature_verification;
 
 use crate::{
     encrypt_message,
-    errors::{InvalidPemContent, VerifyCertificateError, VerifySignatureError},
+    errors::{
+        InvalidPemContent, ValidatePayloadError, VerifyCertificateError, VerifySignatureError,
+    },
     shared::signature_verification::{RsassaPssSha256SignatureVerifier, SUPPORTED_SIG_ALGS},
     EncryptedMessage, SignatureAlgorithm,
 };
@@ -38,7 +40,7 @@ impl<'a> Certificate<'a> {
         Certificate::new(self.internal.clone().into_owned())
     }
 
-    pub fn into_end_certificate(&self) -> Result<EndEntityCert<'_>, WebPkiError> {
+    pub fn to_end_certificate(&self) -> Result<EndEntityCert<'_>, WebPkiError> {
         EndEntityCert::try_from(&self.internal)
     }
 }
@@ -61,15 +63,14 @@ pub struct SignedMessage {
     pub message: Vec<u8>,
 }
 
-pub fn verify_message<'message>(
+pub fn verify_message<'message, 'a>(
     signed_message: &'message SignedMessage,
-    certificate: Certificate<'_>,
+    certificate: &'a EndEntityCert<'a>,
 ) -> Result<&'message [u8], VerifySignatureError> {
     let verifier = match signed_message.algo {
         SignatureAlgorithm::RsassaPssSha256 => &RsassaPssSha256SignatureVerifier,
     };
-    EndEntityCert::try_from(&certificate.internal)
-        .map_err(VerifySignatureError::InvalidCertificateDer)?
+    certificate
         .verify_signature(verifier, &signed_message.message, &signed_message.signature)
         .map(|_| signed_message.message.as_ref())
         .map_err(|e| match e {
@@ -134,3 +135,35 @@ pub fn verify_certificate<'der>(
         )
         .map_err(VerifyCertificateError::Untrusted)
 }
+
+pub fn load_submit_payload(
+    der_certificate: &[u8],
+    signed_message: &SignedMessage,
+    now: DateTime,
+) -> Result<PkiEnrollmentSubmitPayload, crate::errors::LoadSubmitPayloadError> {
+    let validated_payload = validate_payload(der_certificate, signed_message, now)?;
+    PkiEnrollmentSubmitPayload::load(validated_payload).map_err(Into::into)
+}
+
+pub fn validate_payload<'message>(
+    der_certificate: &[u8],
+    signed_message: &'message SignedMessage,
+    now: DateTime,
+) -> Result<&'message [u8], ValidatePayloadError> {
+    let binding = Certificate::from_der(der_certificate);
+    let untrusted_cert = binding
+        .to_end_certificate()
+        .map_err(ValidatePayloadError::InvalidCertificateDer)?;
+    let trusted_anchor = crate::list_trusted_root_certificate_anchor()?;
+    let verified_path = verify_certificate(
+        &untrusted_cert,
+        &trusted_anchor,
+        // TODO: Consider listing intermediate certificate
+        &[],
+        now,
+        KeyUsage::client_auth(),
+    )?;
+    let trusted_cert = verified_path.end_entity();
+
+    verify_message(signed_message, trusted_cert).map_err(Into::into)
+}