Expose TrustAnchor -> SubjectPublicKeyInfoDer operation

ctz · ctz · commit 5a4c0448e569 · 2026-01-18T20:37:41.000Z
diff --git a/src/lib.rs b/src/lib.rs
@@ -89,6 +89,9 @@ pub use {
     },
 };
 
+#[cfg(feature = "alloc")]
+pub use trust_anchor::spki_for_anchor;
+
 #[cfg(feature = "alloc")]
 pub use crl::{OwnedCertRevocationList, OwnedRevokedCert};
 
diff --git a/src/trust_anchor.rs b/src/trust_anchor.rs
@@ -1,4 +1,4 @@
-use pki_types::{CertificateDer, TrustAnchor};
+use pki_types::{CertificateDer, SubjectPublicKeyInfoDer, TrustAnchor};
 
 use crate::cert::{Cert, lenient_certificate_serial_number};
 use crate::der;
@@ -43,6 +43,12 @@ pub fn anchor_from_trusted_cert<'a>(
     }
 }
 
+/// Reconstitutes the given trust anchor's SubjectPublicKeyInfo.
+#[cfg(feature = "alloc")]
+pub fn spki_for_anchor(anchor: &TrustAnchor<'_>) -> SubjectPublicKeyInfoDer<'static> {
+    der::asn1_wrap(der::Tag::Sequence, &anchor.subject_public_key_info).into()
+}
+
 /// Parses a v1 certificate directly into a TrustAnchor.
 fn extract_trust_anchor_from_v1_cert_der(
     cert_der: untrusted::Input<'_>,
diff --git a/src/verify_cert.rs b/src/verify_cert.rs
@@ -26,6 +26,8 @@ use crate::crl::RevocationOptions;
 use crate::der::{self, FromDer};
 use crate::end_entity::EndEntityCert;
 use crate::error::Error;
+#[cfg(feature = "alloc")]
+use crate::trust_anchor;
 use crate::{public_values_eq, subject_name};
 
 // Use `'a` for lifetimes that we don't care about, `'p` for lifetimes that become a part of
@@ -220,10 +222,7 @@ impl<'p> VerifiedPath<'p> {
     pub fn issuer_spki(&self) -> SubjectPublicKeyInfoDer<'p> {
         match self.intermediate_certificates().next() {
             Some(issuer) => issuer.subject_public_key_info(),
-            None => SubjectPublicKeyInfoDer::from(der::asn1_wrap(
-                der::Tag::Sequence,
-                self.anchor.subject_public_key_info.as_ref(),
-            )),
+            None => trust_anchor::spki_for_anchor(self.anchor),
         }
     }
 }
diff --git a/tests/integration.rs b/tests/integration.rs
@@ -509,3 +509,13 @@ fn no_scts() {
         cert.sct_log_timestamps().collect::<Result<Vec<_>, _>>()
     );
 }
+
+#[cfg(feature = "alloc")]
+#[test]
+fn anchor_spki() {
+    let ca = CertificateDer::from(&include_bytes!("netflix/ca.der")[..]);
+    let anchor = anchor_from_trusted_cert(&ca).unwrap();
+    let spki = webpki::spki_for_anchor(&anchor);
+
+    assert_eq!(Some(&0x30), spki.first()); // starts with SEQUENCE
+}

Original file line number	Diff line number	Diff line change
`@@ -26,6 +26,8 @@ use crate::crl::RevocationOptions;`
`26`	`26`	`use crate::der::{self, FromDer};`
`27`	`27`	`use crate::end_entity::EndEntityCert;`
`28`	`28`	`use crate::error::Error;`
	`29`	`+#[cfg(feature = "alloc")]`
	`30`	`+use crate::trust_anchor;`
`29`	`31`	`use crate::{public_values_eq, subject_name};`
`30`	`32`
`31`	`33`	// Use `'a` for lifetimes that we don't care about, `'p` for lifetimes that become a part of
`@@ -220,10 +222,7 @@ impl<'p> VerifiedPath<'p> {`
`220`	`222`	`pub fn issuer_spki(&self) -> SubjectPublicKeyInfoDer<'p> {`
`221`	`223`	`match self.intermediate_certificates().next() {`
`222`	`224`	`Some(issuer) => issuer.subject_public_key_info(),`
`223`		`- None => SubjectPublicKeyInfoDer::from(der::asn1_wrap(`
`224`		`- der::Tag::Sequence,`
`225`		`- self.anchor.subject_public_key_info.as_ref(),`
`226`		`- )),`
	`225`	`+ None => trust_anchor::spki_for_anchor(self.anchor),`
`227`	`226`	`}`
`228`	`227`	`}`
`229`	`228`	`}`