x509-cert: impl DecodeValue for Time (#1986)

baloo · web-flow · commit cfacd3efed49 · 2025-08-06T14:44:46.000-07:00
* x509-cert: impl `DecodeValue` for `Time`

To deserialize SigningTime attributes from CMS, Time needs implement DecodeValue.a

```
  -- rfc3852
  Attribute ::= SEQUENCE {
    attrType OBJECT IDENTIFIER,
    attrValues SET OF AttributeValue }

  AttributeValue ::= ANY

  -- rfc5911

  SigningTime  ::= Time

  Time ::= CHOICE {
      utcTime UTCTime,
      generalTime GeneralizedTime }

  aa-signingTime ATTRIBUTE ::=
      { TYPE SigningTime IDENTIFIED BY id-signingTime }
  id-signingTime OBJECT IDENTIFIER ::= { iso(1) member-body(2)
     us(840) rsadsi(113549) pkcs(1) pkcs9(9) 5 }
```

This adds the missing implementation.

* der_derive: impl DecodeValue for Choice
diff --git a/cms/tests/signed_data.rs b/cms/tests/signed_data.rs
@@ -2,8 +2,14 @@
 
 use cms::content_info::ContentInfo;
 use cms::signed_data::{SignedData, SignerInfos};
-use der::{AnyRef, Decode, DecodePem, Encode, ErrorKind, Tag};
-use x509_cert::Certificate;
+use const_oid::db::rfc5911;
+use core::str::FromStr;
+use der::{AnyRef, DateTime, Decode, DecodePem, Encode, ErrorKind, Tag, asn1::SetOfVec};
+use x509_cert::{
+    Certificate,
+    attr::{Attribute, AttributeValue},
+    time::Time,
+};
 
 #[test]
 fn trust_list_sd_test() {
@@ -143,3 +149,23 @@ fn certs_to_p7b() {
     let p7b_buf2 = p7b_ee.to_der().unwrap();
     assert_eq!(p7b_buf, p7b_buf2.as_slice());
 }
+
+#[test]
+fn encode_decode_signing_time() {
+    let time = DateTime::from_str("2024-12-31T23:59:59Z").unwrap();
+
+    // First serialize the attribute
+    let time = Time::from(time);
+    let time_der = time.to_der().unwrap();
+    let signing_time_attribute_value = AttributeValue::from_der(&time_der).unwrap();
+    let mut values = SetOfVec::<AttributeValue>::new();
+    values.insert(signing_time_attribute_value.clone()).unwrap();
+    let _attribute = Attribute {
+        oid: rfc5911::ID_SIGNING_TIME,
+        values,
+    };
+
+    // and deserialize
+    let time_deserialized = signing_time_attribute_value.decode_as::<Time>().unwrap();
+    assert_eq!(time, time_deserialized);
+}
diff --git a/der_derive/src/asn1_type.rs b/der_derive/src/asn1_type.rs
@@ -61,12 +61,25 @@ impl Asn1Type {
         let type_path = self.type_path();
         quote!(#type_path::decode(reader)?)
     }
+
     /// Get a `der::Decoder` optional object for a particular ASN.1 type
     pub fn decoder_optional(self) -> TokenStream {
         let type_path = self.type_path();
         quote!(Option::<#type_path>::decode(reader)?)
     }
 
+    /// Get a `der::DecodeValue` member object for a particular ASN.1 type
+    pub fn value_decoder(self) -> TokenStream {
+        let type_path = self.type_path();
+        quote!(#type_path::decode_value(reader, header)?)
+    }
+
+    /// Get a `der::DecodeValue` member object for a particular ASN.1 type
+    pub fn value_decoder_optional(self) -> TokenStream {
+        let type_path = self.type_path();
+        quote!(Option::<#type_path>::decode_value(reader, header)?)
+    }
+
     /// Get a `der::Encoder` object for a particular ASN.1 type
     pub fn encoder(self, binding: &TokenStream) -> TokenStream {
         let type_path = self.type_path();
diff --git a/der_derive/src/attributes.rs b/der_derive/src/attributes.rs
@@ -296,6 +296,26 @@ impl FieldAttrs {
         }
     }
 
+    /// Get a `der::DecodeValue` member which respects these field attributes.
+    pub fn value_decoder(&self) -> TokenStream {
+        if let Some(default) = &self.default {
+            let type_params = self.asn1_type.map(|ty| ty.type_path()).unwrap_or_default();
+            self.asn1_type.map(|ty| ty.value_decoder()).unwrap_or_else(|| {
+                quote! {
+                    Option::<#type_params>::decode_value(reader, header)?.unwrap_or_else(#default),
+                }
+            })
+        } else if self.is_optional() {
+            self.asn1_type
+                .map(|ty| ty.value_decoder_optional())
+                .unwrap_or_else(|| quote!(<_>::decode_value(reader, header)?))
+        } else {
+            self.asn1_type
+                .map(|ty| ty.value_decoder())
+                .unwrap_or_else(|| quote!(<_>::decode_value(reader, header)?))
+        }
+    }
+
     pub fn custom_class_decoder(&self, class_num: &ClassNum) -> TokenStream {
         let type_params = self.asn1_type.map(|ty| ty.type_path()).unwrap_or(quote!(_));
         let ClassTokens {
diff --git a/der_derive/src/choice.rs b/der_derive/src/choice.rs
@@ -76,13 +76,15 @@ impl DeriveChoice {
 
         let mut can_decode_body = Vec::new();
         let mut decode_body = Vec::new();
+        let mut decode_value_body = Vec::new();
         let mut encode_body = Vec::new();
         let mut value_len_body = Vec::new();
         let mut tagged_body = Vec::new();
 
         for variant in &self.variants {
             can_decode_body.push(variant.tag.to_tokens());
             decode_body.push(variant.to_decode_tokens());
+            decode_value_body.push(variant.to_decode_value_tokens());
             encode_body.push(variant.to_encode_value_tokens());
             value_len_body.push(variant.to_value_len_tokens());
             tagged_body.push(variant.to_tagged_tokens());
@@ -120,6 +122,24 @@ impl DeriveChoice {
                 }
             }
 
+            impl #impl_generics ::der::DecodeValue<#lifetime> for #ident #ty_generics #where_clause {
+                type Error = #error;
+
+                fn decode_value<R: ::der::Reader<#lifetime>>(reader: &mut R, header: der::Header) -> ::core::result::Result<Self, #error> {
+                    match header.tag() {
+                        #(#decode_value_body)*
+                        actual => Err(::der::Error::new(
+                            ::der::ErrorKind::TagUnexpected {
+                                expected: None,
+                                actual
+                            },
+                            reader.position()
+                        ).into()
+                        ),
+                    }
+                }
+            }
+
             impl #impl_generics ::der::EncodeValue for #ident #ty_generics #where_clause {
                 fn encode_value(&self, encoder: &mut impl ::der::Writer) -> ::der::Result<()> {
                     match self {
diff --git a/der_derive/src/choice/variant.rs b/der_derive/src/choice/variant.rs
@@ -97,7 +97,7 @@ impl ChoiceVariant {
         Ok(Self { ident, attrs, tag })
     }
 
-    /// Derive a match arm of the impl body for `TryFrom<der::asn1::Any<'_>>`.
+    /// Derive a match arm of the impl body for `der::Decode<'_>`.
     pub(super) fn to_decode_tokens(&self) -> TokenStream {
         let tag = self.tag.to_tokens();
         let ident = &self.ident;
@@ -109,6 +109,18 @@ impl ChoiceVariant {
         }
     }
 
+    /// Derive a match arm of the impl body for `der::DecodeValue<'_>`.
+    pub(super) fn to_decode_value_tokens(&self) -> TokenStream {
+        let tag = self.tag.to_tokens();
+        let ident = &self.ident;
+        let decoder = self.attrs.value_decoder();
+
+        match self.attrs.asn1_type {
+            Some(..) => quote! { #tag => Ok(Self::#ident(#decoder.try_into()?)), },
+            None => quote! { #tag => Ok(Self::#ident(#decoder)), },
+        }
+    }
+
     /// Derive a match arm for the impl body for `der::EncodeValue::encode_value`.
     pub(super) fn to_encode_value_tokens(&self) -> TokenStream {
         let ident = &self.ident;
@@ -189,6 +201,16 @@ mod tests {
             .to_string()
         );
 
+        assert_eq!(
+            variant.to_decode_value_tokens().to_string(),
+            quote! {
+                ::der::Tag::Utf8String => Ok(Self::ExampleVariant(
+                    <_>::decode_value(reader, header)?
+                )),
+            }
+            .to_string()
+        );
+
         assert_eq!(
             variant.to_encode_value_tokens().to_string(),
             quote! {
diff --git a/x509-cert/src/ext/pkix/name/dirstr.rs b/x509-cert/src/ext/pkix/name/dirstr.rs
@@ -2,7 +2,7 @@ use alloc::borrow::Cow;
 use alloc::string::String;
 use alloc::string::ToString;
 use der::{
-    Choice, FixedTag, Header, Reader, ValueOrd,
+    Choice, ValueOrd,
     asn1::{Any, BmpString, PrintableString, TeletexString},
 };
 
@@ -66,27 +66,6 @@ impl<'a> TryFrom<&'a Any> for DirectoryString {
     }
 }
 
-impl<'a> der::DecodeValue<'a> for DirectoryString {
-    type Error = der::Error;
-
-    fn decode_value<R: Reader<'a>>(reader: &mut R, header: Header) -> Result<Self, Self::Error> {
-        match header.tag() {
-            PrintableString::TAG => {
-                PrintableString::decode_value(reader, header).map(Self::PrintableString)
-            }
-            TeletexString::TAG => {
-                TeletexString::decode_value(reader, header).map(Self::TeletexString)
-            }
-            String::TAG => String::decode_value(reader, header).map(Self::Utf8String),
-            BmpString::TAG => BmpString::decode_value(reader, header).map(Self::BmpString),
-            actual => Err(der::ErrorKind::TagUnexpected {
-                expected: None,
-                actual,
-            }
-            .into()),
-        }
-    }
-}
 impl DirectoryString {
     /// Returns `Borrowed` variant for UTF-8 compatible strings
     /// and `Owned` variant otherwise.
