Store x509 certificates (Cip509RbacMetadata::x509_certs) in the decoded format (#128)

Author: stanislav-tkach

rust/rbac-registration/src/cardano/cip509/rbac/certs.rs

@@ -18,7 +18,7 @@ pub enum X509DerCert {
     /// Deleted indicates the key is deleted.
     Deleted,
     /// X.509 certificate.
-    X509Cert(Vec<u8>),
+    X509Cert(Box<Certificate>),
 }
 
 impl Decode<'_, ()> for X509DerCert {
@@ -34,9 +34,10 @@ impl Decode<'_, ()> for X509DerCert {
             minicbor::data::Type::Undefined => Ok(Self::Undefined),
             minicbor::data::Type::Bytes => {
                 let data = decode_bytes(d, "X509DerCert")?;
-                Certificate::from_der(&data)
-                    .map_err(|_| decode::Error::message("Invalid x509 certificate"))?;
-                Ok(Self::X509Cert(data.clone()))
+                let certificate = Certificate::from_der(&data).map_err(|e| {
+                    decode::Error::message(format!("Invalid x509 certificate: {e:?}"))
+                })?;
+                Ok(Self::X509Cert(Box::new(certificate)))
             },
             _ => Err(decode::Error::message("Invalid datatype for X509DerCert")),
         }

rust/rbac-registration/src/cardano/cip509/utils/cip134/uri_set.rs

@@ -10,7 +10,7 @@ use c509_certificate::{
 };
 use der_parser::der::parse_der_sequence;
 use tracing::debug;
-use x509_cert::der::{oid::db::rfc5912::ID_CE_SUBJECT_ALT_NAME, Decode};
+use x509_cert::der::oid::db::rfc5912::ID_CE_SUBJECT_ALT_NAME;
 
 use crate::{
     cardano::cip509::{
@@ -81,8 +81,6 @@ fn extract_x509_uris(certificates: &[X509DerCert]) -> Result<UrisMap> {
         let X509DerCert::X509Cert(cert) = cert else {
             continue;
         };
-        let cert = x509_cert::Certificate::from_der(cert)
-            .with_context(|| "Failed to decode X509 certificate from DER")?;
         // Find the "subject alternative name" extension.
         let Some(extension) = cert
             .tbs_certificate

rust/rbac-registration/src/registration/cardano/mod.rs

@@ -22,6 +22,7 @@ use point_tx_idx::PointTxIdx;
 use role_data::RoleData;
 use tracing::error;
 use uuid::Uuid;
+use x509_cert::certificate::Certificate as X509Certificate;
 
 use crate::{
     cardano::cip509::{
@@ -102,7 +103,7 @@ impl RegistrationChain {
 
     /// Get the map of index in array to point, transaction index, and x509 certificate.
     #[must_use]
-    pub fn x509_certs(&self) -> &HashMap<usize, (PointTxIdx, Vec<u8>)> {
+    pub fn x509_certs(&self) -> &HashMap<usize, (PointTxIdx, X509Certificate)> {
         &self.inner.x509_certs
     }
 
@@ -147,7 +148,7 @@ struct RegistrationChainInner {
 
     // RBAC
     /// Map of index in array to point, transaction index, and x509 certificate.
-    x509_certs: HashMap<usize, (PointTxIdx, Vec<u8>)>,
+    x509_certs: HashMap<usize, (PointTxIdx, X509Certificate)>,
     /// Map of index in array to point, transaction index, and c509 certificate.
     c509_certs: HashMap<usize, (PointTxIdx, C509)>,
     /// Map of index in array to point, transaction index, and public key.
@@ -304,15 +305,18 @@ fn is_valid_cip509(validation_data: &Cip509Validation) -> bool {
 /// Process x509 certificate for chain root.
 fn chain_root_x509_certs(
     x509_certs: Vec<X509DerCert>, point_tx_idx: &PointTxIdx,
-) -> HashMap<usize, (PointTxIdx, Vec<u8>)> {
-    let mut map = HashMap::new();
-    for (idx, cert) in x509_certs.into_iter().enumerate() {
-        // Chain root, expect only the certificate not undefined or delete
-        if let X509DerCert::X509Cert(cert) = cert {
-            map.insert(idx, (point_tx_idx.clone(), cert));
-        }
-    }
-    map
+) -> HashMap<usize, (PointTxIdx, X509Certificate)> {
+    x509_certs
+        .into_iter()
+        .enumerate()
+        .filter_map(|(index, cert)| {
+            if let X509DerCert::X509Cert(cert) = cert {
+                Some((index, (point_tx_idx.clone(), *cert)))
+            } else {
+                None
+            }
+        })
+        .collect()
 }
 
 /// Update x509 certificates in the registration chain.
@@ -331,7 +335,7 @@ fn update_x509_certs(
             X509DerCert::X509Cert(cert) => {
                 new_inner
                     .x509_certs
-                    .insert(idx, (point_tx_idx.clone(), cert));
+                    .insert(idx, (point_tx_idx.clone(), *cert));
             },
         }
     }