Struct webpki::signed_data::SignedData
source · pub(crate) struct SignedData<'a> {
data: Input<'a>,
pub(crate) algorithm: Input<'a>,
signature: Input<'a>,
}
Expand description
X.509 certificates and related items that are signed are almost always encoded in the format “tbs||signatureAlgorithm||signature”. This structure captures this pattern.
Fields§
§data: Input<'a>
The signed data. This would be tbsCertificate
in the case of an X.509
certificate, tbsResponseData
in the case of an OCSP response, tbsCertList
in the case of a CRL, and the data nested in the digitally-signed
construct for
TLS 1.2 signed data.
algorithm: Input<'a>
The value of the AlgorithmIdentifier
. This would be
signatureAlgorithm
in the case of an X.509 certificate, OCSP
response or CRL. This would have to be synthesized in the case of TLS 1.2
signed data, since TLS does not identify algorithms by ASN.1 OIDs.
signature: Input<'a>
The value of the signature. This would be signature
in an X.509
certificate, OCSP response or CRL. This would be the value of
DigitallySigned.signature
for TLS 1.2 signed data.
Implementations§
source§impl<'a> SignedData<'a>
impl<'a> SignedData<'a>
sourcepub(crate) fn from_der(
der: &mut Reader<'a>,
size_limit: usize,
) -> Result<(Input<'a>, Self), Error>
pub(crate) fn from_der( der: &mut Reader<'a>, size_limit: usize, ) -> Result<(Input<'a>, Self), Error>
Parses the concatenation of “tbs||signatureAlgorithm||signature” that is common in the X.509 certificate and OCSP response syntaxes.
X.509 Certificates (RFC 5280) look like this:
Certificate (SEQUENCE) {
tbsCertificate TBSCertificate,
signatureAlgorithm AlgorithmIdentifier,
signatureValue BIT STRING
}
OCSP responses (RFC 6960) look like this:
```ASN.1
BasicOCSPResponse {
tbsResponseData ResponseData,
signatureAlgorithm AlgorithmIdentifier,
signature BIT STRING,
certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL
}
Note that this function does NOT parse the outermost SEQUENCE
or the
certs
value.
The return value’s first component is the contents of
tbsCertificate
/tbsResponseData
; the second component is a SignedData
structure that can be passed to verify_signed_data
.
The provided size_limit will enforce the largest possible outermost SEQUENCE
this
function will read.
sourcepub(crate) fn to_owned(&self) -> OwnedSignedData
pub(crate) fn to_owned(&self) -> OwnedSignedData
Convert the borrowed signed data to an OwnedSignedData
.