feat: Consolidate implementations of cert_chain_from_sign1 in c2pa_crypto (#796)

Author: scouten-adobe

internal/crypto/src/cose/mod.rs

@@ -30,7 +30,7 @@ mod ocsp;
 pub use ocsp::{check_ocsp_status, check_ocsp_status_async, OcspFetchPolicy};
 
 mod sign1;
-pub use sign1::{parse_cose_sign1, signing_alg_from_sign1};
+pub use sign1::{cert_chain_from_sign1, parse_cose_sign1, signing_alg_from_sign1};
 
 mod sigtst;
 pub use sigtst::{

internal/crypto/src/cose/ocsp.rs

@@ -124,7 +124,9 @@ fn fetch_and_check_ocsp_response(
 
     #[cfg(not(target_arch = "wasm32"))]
     {
-        let certs = get_cert_chain(sign1)?;
+        use crate::cose::cert_chain_from_sign1;
+
+        let certs = cert_chain_from_sign1(sign1)?;
 
         let Some(ocsp_der) = crate::ocsp::fetch_ocsp_response(&certs) else {
             return Ok(OcspResponse::default());
@@ -186,85 +188,3 @@ fn get_ocsp_der(sign1: &coset::CoseSign1) -> Option<Vec<u8>> {
         }
     })
 }
-
-// TO DO: See if this gets more widely used in crate.
-#[cfg(not(target_arch = "wasm32"))]
-fn get_cert_chain(sign1: &coset::CoseSign1) -> Result<Vec<Vec<u8>>, CoseError> {
-    use coset::iana::{self, EnumI64};
-
-    // Check the protected header first.
-    let Some(value) = sign1
-        .protected
-        .header
-        .rest
-        .iter()
-        .find_map(|x: &(Label, Value)| {
-            if x.0 == Label::Text("x5chain".to_string())
-                || x.0 == Label::Int(iana::HeaderParameter::X5Chain.to_i64())
-            {
-                Some(x.1.clone())
-            } else {
-                None
-            }
-        })
-    else {
-        // Not there: Also try unprotected header. (This was permitted in older versions
-        // of C2PA.)
-        return get_unprotected_header_certs(sign1);
-    };
-
-    // Certs may be in protected or unprotected header, but not both.
-    if get_unprotected_header_certs(sign1).is_ok() {
-        return Err(CoseError::MultipleSigningCertificateChains);
-    }
-
-    cert_chain_from_cbor_value(value)
-}
-
-#[cfg(not(target_arch = "wasm32"))]
-fn get_unprotected_header_certs(sign1: &coset::CoseSign1) -> Result<Vec<Vec<u8>>, CoseError> {
-    let Some(value) = sign1
-        .unprotected
-        .rest
-        .iter()
-        .find_map(|x: &(Label, Value)| {
-            if x.0 == Label::Text("x5chain".to_string()) {
-                Some(x.1.clone())
-            } else {
-                None
-            }
-        })
-    else {
-        return Err(CoseError::MissingSigningCertificateChain);
-    };
-
-    cert_chain_from_cbor_value(value)
-}
-
-#[cfg(not(target_arch = "wasm32"))]
-fn cert_chain_from_cbor_value(value: Value) -> Result<Vec<Vec<u8>>, CoseError> {
-    match value {
-        Value::Array(cert_chain) => {
-            let certs: Vec<Vec<u8>> = cert_chain
-                .iter()
-                .filter_map(|c| {
-                    if let Value::Bytes(der_bytes) = c {
-                        Some(der_bytes.clone())
-                    } else {
-                        None
-                    }
-                })
-                .collect();
-
-            if certs.is_empty() {
-                Err(CoseError::MissingSigningCertificateChain)
-            } else {
-                Ok(certs)
-            }
-        }
-
-        Value::Bytes(ref der_bytes) => Ok(vec![der_bytes.clone()]),
-
-        _ => Err(CoseError::MissingSigningCertificateChain),
-    }
-}

internal/crypto/src/cose/sign1.rs

@@ -12,7 +12,11 @@
 // each license.
 
 use c2pa_status_tracker::{log_item, validation_codes::CLAIM_SIGNATURE_MISMATCH, StatusTracker};
-use coset::{iana::Algorithm, CoseSign1, RegisteredLabelWithPrivate, TaggedCborSerializable};
+use ciborium::value::Value;
+use coset::{
+    iana::{self, Algorithm, EnumI64},
+    CoseSign1, Label, RegisteredLabelWithPrivate, TaggedCborSerializable,
+};
 
 use crate::{cose::CoseError, SigningAlg};
 
@@ -78,3 +82,80 @@ pub fn signing_alg_from_sign1(sign1: &coset::CoseSign1) -> Result<SigningAlg, Co
         _ => Err(CoseError::UnsupportedSigningAlgorithm),
     }
 }
+
+/// TEMPORARILY PUBLIC while refactoring.
+pub fn cert_chain_from_sign1(sign1: &coset::CoseSign1) -> Result<Vec<Vec<u8>>, CoseError> {
+    // Check the protected header first.
+    let Some(value) = sign1
+        .protected
+        .header
+        .rest
+        .iter()
+        .find_map(|x: &(Label, Value)| {
+            if x.0 == Label::Text("x5chain".to_string())
+                || x.0 == Label::Int(iana::HeaderParameter::X5Chain.to_i64())
+            {
+                Some(x.1.clone())
+            } else {
+                None
+            }
+        })
+    else {
+        // Not there: Also try unprotected header. (This was permitted in older versions
+        // of C2PA.)
+        return get_unprotected_header_certs(sign1);
+    };
+
+    // Certs may be in protected or unprotected header, but not both.
+    if get_unprotected_header_certs(sign1).is_ok() {
+        return Err(CoseError::MultipleSigningCertificateChains);
+    }
+
+    cert_chain_from_cbor_value(value)
+}
+
+fn get_unprotected_header_certs(sign1: &coset::CoseSign1) -> Result<Vec<Vec<u8>>, CoseError> {
+    let Some(value) = sign1
+        .unprotected
+        .rest
+        .iter()
+        .find_map(|x: &(Label, Value)| {
+            if x.0 == Label::Text("x5chain".to_string()) {
+                Some(x.1.clone())
+            } else {
+                None
+            }
+        })
+    else {
+        return Err(CoseError::MissingSigningCertificateChain);
+    };
+
+    cert_chain_from_cbor_value(value)
+}
+
+fn cert_chain_from_cbor_value(value: Value) -> Result<Vec<Vec<u8>>, CoseError> {
+    match value {
+        Value::Array(cert_chain) => {
+            let certs: Vec<Vec<u8>> = cert_chain
+                .iter()
+                .filter_map(|c| {
+                    if let Value::Bytes(der_bytes) = c {
+                        Some(der_bytes.clone())
+                    } else {
+                        None
+                    }
+                })
+                .collect();
+
+            if certs.is_empty() {
+                Err(CoseError::MissingSigningCertificateChain)
+            } else {
+                Ok(certs)
+            }
+        }
+
+        Value::Bytes(ref der_bytes) => Ok(vec![der_bytes.clone()]),
+
+        _ => Err(CoseError::MissingSigningCertificateChain),
+    }
+}

sdk/src/cose_validator.rs

@@ -17,7 +17,7 @@ use async_generic::async_generic;
 use c2pa_crypto::{
     asn1::rfc3161::TstInfo,
     cose::{
-        check_certificate_profile, parse_cose_sign1, signing_alg_from_sign1,
+        cert_chain_from_sign1, check_certificate_profile, parse_cose_sign1, signing_alg_from_sign1,
         validate_cose_tst_info, validate_cose_tst_info_async, CertificateTrustError,
         CertificateTrustPolicy, CoseError, OcspFetchPolicy,
     },
@@ -28,11 +28,7 @@ use c2pa_crypto::{
     SigningAlg, ValidationInfo,
 };
 use c2pa_status_tracker::{log_item, validation_codes::*, StatusTracker};
-use ciborium::value::Value;
-use coset::{
-    iana::{self, EnumI64},
-    sig_structure_data, Label,
-};
+use coset::sig_structure_data;
 use x509_parser::{num_bigint::BigUint, prelude::*};
 
 use crate::{
@@ -136,108 +132,10 @@ fn check_trust(
 
 fn get_sign_cert(sign1: &coset::CoseSign1) -> Result<Vec<u8>> {
     // element 0 is the signing cert
-    let certs = get_sign_certs(sign1)?;
+    let certs = cert_chain_from_sign1(sign1)?;
     Ok(certs[0].clone())
 }
 
-fn get_unprotected_header_certs(sign1: &coset::CoseSign1) -> Result<Vec<Vec<u8>>> {
-    if let Some(der) = sign1
-        .unprotected
-        .rest
-        .iter()
-        .find_map(|x: &(Label, Value)| {
-            if x.0 == Label::Text("x5chain".to_string()) {
-                Some(x.1.clone())
-            } else {
-                None
-            }
-        })
-    {
-        let mut certs: Vec<Vec<u8>> = Vec::new();
-
-        match der {
-            Value::Array(cert_chain) => {
-                // handle array of certs
-                for c in cert_chain {
-                    if let Value::Bytes(der_bytes) = c {
-                        certs.push(der_bytes.clone());
-                    }
-                }
-
-                if certs.is_empty() {
-                    Err(Error::CoseMissingKey)
-                } else {
-                    Ok(certs)
-                }
-            }
-            Value::Bytes(ref der_bytes) => {
-                // handle single cert case
-                certs.push(der_bytes.clone());
-                Ok(certs)
-            }
-            _ => Err(Error::CoseX5ChainMissing),
-        }
-    } else {
-        Err(Error::CoseX5ChainMissing)
-    }
-}
-// get the public key der
-fn get_sign_certs(sign1: &coset::CoseSign1) -> Result<Vec<Vec<u8>>> {
-    // check for protected header int, then protected header x5chain,
-    // then the legacy unprotected x5chain to get the public key der
-
-    // check the protected header
-    if let Some(der) = sign1
-        .protected
-        .header
-        .rest
-        .iter()
-        .find_map(|x: &(Label, Value)| {
-            if x.0 == Label::Text("x5chain".to_string())
-                || x.0 == Label::Int(iana::HeaderParameter::X5Chain.to_i64())
-            {
-                Some(x.1.clone())
-            } else {
-                None
-            }
-        })
-    {
-        // make sure there are no certs in the legacy unprotected header, certs
-        // are only allowing in protect OR unprotected header
-        if get_unprotected_header_certs(sign1).is_ok() {
-            return Err(Error::CoseVerifier);
-        }
-
-        let mut certs: Vec<Vec<u8>> = Vec::new();
-
-        match der {
-            Value::Array(cert_chain) => {
-                // handle array of certs
-                for c in cert_chain {
-                    if let Value::Bytes(der_bytes) = c {
-                        certs.push(der_bytes.clone());
-                    }
-                }
-
-                if certs.is_empty() {
-                    return Err(Error::CoseX5ChainMissing);
-                } else {
-                    return Ok(certs);
-                }
-            }
-            Value::Bytes(ref der_bytes) => {
-                // handle single cert case
-                certs.push(der_bytes.clone());
-                return Ok(certs);
-            }
-            _ => return Err(Error::CoseX5ChainMissing),
-        }
-    }
-
-    // check the unprotected header if necessary
-    get_unprotected_header_certs(sign1)
-}
-
 // internal util function to dump the cert chain in PEM format
 fn dump_cert_chain(certs: &[Vec<u8>]) -> Result<Vec<u8>> {
     let mut out_buf: Vec<u8> = Vec::new();
@@ -350,7 +248,7 @@ pub(crate) async fn verify_cose_async(
     let mut result = ValidationInfo::default();
 
     // get the cert chain
-    let certs = get_sign_certs(&sign1)?;
+    let certs = cert_chain_from_sign1(&sign1)?;
 
     // get the public key der
     let der_bytes = &certs[0];
@@ -455,7 +353,7 @@ pub(crate) async fn verify_cose_async(
         result.date = tst_info_res.ok().map(|t| gt_to_datetime(t.gen_time));
 
         // return cert chain
-        result.cert_chain = dump_cert_chain(&get_sign_certs(&sign1)?)?;
+        result.cert_chain = dump_cert_chain(&cert_chain_from_sign1(&sign1)?)?;
     }
 
     Ok(result)
@@ -500,7 +398,7 @@ pub(crate) fn get_signing_info(
     };
 
     let certs = match sign1 {
-        Ok(s) => match get_sign_certs(&s) {
+        Ok(s) => match cert_chain_from_sign1(&s) {
             Ok(c) => dump_cert_chain(&c).unwrap_or_default(),
             Err(_) => Vec::new(),
         },
@@ -556,7 +454,7 @@ pub(crate) fn verify_cose(
     let mut result = ValidationInfo::default();
 
     // get the cert chain
-    let certs = get_sign_certs(&sign1)?;
+    let certs = cert_chain_from_sign1(&sign1)?;
 
     // get the public key der
     let der_bytes = &certs[0];
@@ -726,6 +624,8 @@ fn gt_to_datetime(
 pub mod tests {
     use c2pa_crypto::SigningAlg;
     use c2pa_status_tracker::DetailedStatusTracker;
+    use ciborium::Value;
+    use coset::Label;
     use sha2::digest::generic_array::sequence::Shorten;
     use x509_parser::{certificate::X509Certificate, pem::Pem};