Files

aho_corasick

packed

teddy

compile.rsmod.rsruntime.rs

api.rsmod.rspattern.rsrabinkarp.rsvector.rs

ahocorasick.rsautomaton.rsbuffer.rsbyte_frequencies.rsclasses.rsdfa.rserror.rslib.rsnfa.rsprefilter.rsstate_id.rs

ansi_term

ansi.rsdebug.rsdifference.rsdisplay.rslib.rsstyle.rswindows.rswrite.rs

arrayvec

array.rsarray_string.rschar.rserrors.rslib.rsmaybe_uninit_stable.rsrange.rs

atty

lib.rs

backtrace

backtrace

libunwind.rsmod.rs

symbolize

dladdr.rslibbacktrace.rsmod.rs

capture.rslib.rsprint.rstypes.rs

backtrace_sys

lib.rs

base64

write

encoder.rsmod.rs

chunked_encoder.rsdecode.rsdisplay.rsencode.rslib.rstables.rs

bincode

de

mod.rsread.rs

ser

mod.rs

config.rserror.rsinternal.rslib.rs

bitflags

lib.rs

byteorder

io.rslib.rs

bytes

buf

buf.rsbuf_mut.rschain.rsfrom_buf.rsinto_buf.rsiter.rsmod.rsreader.rstake.rsvec_deque.rswriter.rs

bytes.rsdebug.rslib.rs

c2_chacha

guts.rslib.rs

capnp

private

arena.rscapability.rsendian.rslayout.rsmask.rsmod.rsunits.rszero.rs

any_pointer.rsany_pointer_list.rscapability.rscapability_list.rsconstant.rsdata.rsdata_list.rsenum_list.rslib.rslist_list.rsmessage.rsprimitive_list.rsraw.rsserialize.rsserialize_packed.rsstruct_list.rstext.rstext_list.rstraits.rs

capnp_futures

lib.rsread_stream.rsserialize.rswrite_queue.rs

capnp_rpc

attach.rsbroken.rsforked_promise.rslib.rslocal.rsqueued.rsrpc.rssender_queue.rssplit.rstask_set.rstwoparty.rs

cfg_if

lib.rs

chrono

format

mod.rsparse.rsparsed.rsscan.rsstrftime.rs

naive

date.rsdatetime.rsinternals.rsisoweek.rstime.rs

offset

fixed.rslocal.rsmod.rsutc.rs

date.rsdatetime.rsdiv.rslib.rsround.rs

clap

app

help.rsmeta.rsmod.rsparser.rssettings.rsusage.rsvalidator.rs

args

arg_builder

base.rsflag.rsmod.rsoption.rspositional.rsswitched.rsvalued.rs

any_arg.rsarg.rsarg_matcher.rsarg_matches.rsgroup.rsmacros.rsmatched_arg.rsmod.rssettings.rssubcommand.rs

completions

bash.rselvish.rsfish.rsmacros.rsmod.rspowershell.rsshell.rszsh.rs

errors.rsfmt.rslib.rsmacros.rsmap.rsosstringext.rsstrext.rssuggestions.rsusage_parser.rs

crossbeam_deque

lib.rs

crossbeam_epoch

sync

list.rsmod.rsqueue.rs

atomic.rscollector.rsdefault.rsdeferred.rsepoch.rsguard.rsinternal.rslib.rs

crossbeam_queue

array_queue.rserr.rslib.rsseg_queue.rs

crossbeam_utils

atomic

atomic_cell.rsconsume.rsmod.rs

sync

mod.rsparker.rssharded_lock.rswait_group.rs

backoff.rscache_padded.rslib.rsthread.rs

ctrlc

platform

unix

mod.rs

mod.rs

error.rslib.rssignal.rs

daemon

daemon.rslib.rslinux.rssingleton.rs

failure

backtrace

internal.rsmod.rs

error

error_impl.rsmod.rs

as_fail.rsbox_std.rscompat.rscontext.rserror_message.rslib.rsmacros.rsresult_ext.rssync_failure.rs

failure_derive

lib.rs

flexi_logger

writers

file_log_writer.rslog_writer.rsmod.rs

flexi_error.rsflexi_logger.rsformats.rslib.rslog_specification.rslogger.rsprimary_writer.rsreconfiguration_handle.rs

fnv

lib.rs

futures

future

and_then.rscatch_unwind.rschain.rseither.rsempty.rsflatten.rsflatten_stream.rsfrom_err.rsfuse.rsinspect.rsinto_stream.rsjoin.rsjoin_all.rslazy.rsloop_fn.rsmap.rsmap_err.rsmod.rsoption.rsor_else.rspoll_fn.rsresult.rsselect.rsselect2.rsselect_all.rsselect_ok.rsshared.rsthen.rs

sink

buffer.rsfanout.rsflush.rsfrom_err.rsmap_err.rsmod.rssend.rssend_all.rswait.rswith.rswith_flat_map.rs

stream

and_then.rsbuffer_unordered.rsbuffered.rscatch_unwind.rschain.rschannel.rschunks.rscollect.rsconcat.rsempty.rsfilter.rsfilter_map.rsflatten.rsfold.rsfor_each.rsforward.rsfrom_err.rsfuse.rsfuture.rsfutures_ordered.rsfutures_unordered.rsinspect.rsinspect_err.rsiter.rsiter_ok.rsiter_result.rsmap.rsmap_err.rsmerge.rsmod.rsonce.rsor_else.rspeek.rspoll_fn.rsrepeat.rsselect.rsskip.rsskip_while.rssplit.rstake.rstake_while.rsthen.rsunfold.rswait.rszip.rs

sync

mpsc

mod.rsqueue.rs

bilock.rsmod.rsoneshot.rs

task_impl

std

data.rsmod.rstask_rc.rsunpark_mutex.rs

atomic_task.rscore.rsmod.rs

unsync

mod.rsmpsc.rsoneshot.rs

executor.rslib.rslock.rspoll.rsresultstream.rstask.rs

getrandom

error.rserror_impls.rslib.rslinux_android.rsuse_file.rsutil.rsutil_libc.rs

glob

lib.rs

hid_io

api

mod.rs

device

debug

mod.rs

hidusb

mod.rs

mod.rs

module

unicode

mod.rsx11.rs

mod.rs

protocol

hidio

mod.rs

mod.rs

lib.rs

hidapi

error.rsffi.rslib.rs

install_service

install_service.rs

iovec

sys

mod.rsunix.rs

lib.rsunix.rs

lazy_static

inline_lazy.rslib.rs

libc

unix

linux_like

linux

gnu

b64

x86_64

mod.rsnot_x32.rs

mod.rs

align.rsmod.rs

align.rsmod.rs

mod.rs

align.rsmod.rs

fixed_width_ints.rslib.rsmacros.rs

lock_api

lib.rsmutex.rsremutex.rsrwlock.rs

log

lib.rsmacros.rs

memchr

x86

avx.rsmod.rssse2.rs

fallback.rsiter.rslib.rsnaive.rs

memoffset

lib.rsoffset_of.rsspan_of.rs

mio

deprecated

event_loop.rshandler.rsio.rsmod.rsnotify.rsunix.rs

net

mod.rstcp.rsudp.rs

sys

unix

awakener.rsdlsym.rsepoll.rseventedfd.rsio.rsmod.rsready.rstcp.rsudp.rsuds.rsuio.rs

mod.rs

channel.rsevent_imp.rsio.rslazycell.rslib.rspoll.rstimer.rstoken.rsudp.rs

mio_uds

datagram.rslib.rslistener.rssocket.rsstream.rs

nanoid

alphabet.rsgenerator.rslib.rsrandom.rs

net2

sys

unix

impls.rsmod.rs

ext.rslib.rssocket.rstcp.rsudp.rsunix.rsutils.rs

nix

net

if_.rsmod.rs

sys

ioctl

linux.rsmod.rs

ptrace

linux.rsmod.rs

socket

addr.rsmod.rssockopt.rs

aio.rsepoll.rseventfd.rsinotify.rsmemfd.rsmman.rsmod.rspthread.rsquota.rsreboot.rsselect.rssendfile.rssignal.rssignalfd.rsstat.rsstatfs.rsstatvfs.rssysinfo.rstermios.rstime.rsuio.rsutsname.rswait.rs

dir.rserrno.rsfcntl.rsfeatures.rsifaddrs.rskmod.rslib.rsmacros.rsmount.rsmqueue.rspoll.rspty.rssched.rsucontext.rsunistd.rs

nodrop

lib.rs

num_cpus

lib.rs

num_integer

lib.rsroots.rs

num_traits

ops

checked.rsinv.rsmod.rsmul_add.rssaturating.rswrapping.rs

bounds.rscast.rsfloat.rsidentities.rsint.rslib.rsmacros.rspow.rssign.rs

open

lib.rs

parking_lot

condvar.rsdeadlock.rselision.rslib.rsmutex.rsonce.rsraw_mutex.rsraw_rwlock.rsremutex.rsrwlock.rsutil.rs

parking_lot_core

thread_parker

linux.rsmod.rs

lib.rsparking_lot.rsspinwait.rsutil.rsword_lock.rs

pem

errors.rslib.rs

ppv_lite86

x86_64

mod.rssse2.rs

lib.rssoft.rstypes.rs

proc_macro2

fallback.rslib.rsstrnom.rswrapper.rs

quote

ext.rsformat.rsident_fragment.rslib.rsruntime.rsspanned.rsto_tokens.rs

rand

distributions

weighted

alias_method.rsmod.rs

bernoulli.rsbinomial.rscauchy.rsdirichlet.rsexponential.rsfloat.rsgamma.rsinteger.rsmod.rsnormal.rsother.rspareto.rspoisson.rstriangular.rsuniform.rsunit_circle.rsunit_sphere.rsutils.rsweibull.rsziggurat_tables.rs

rngs

adapter

mod.rsread.rsreseeding.rs

entropy.rsmock.rsmod.rsstd.rsthread.rs

seq

index.rsmod.rs

lib.rsprelude.rs

rand_chacha

chacha.rslib.rs

rand_core

block.rserror.rsimpls.rsle.rslib.rsos.rs

rand_hc

hc128.rslib.rs

rand_isaac

isaac.rsisaac64.rsisaac_array.rslib.rs

rand_jitter

dummy_log.rserror.rslib.rsplatform.rs

rand_os

dummy_log.rslib.rslinux_android.rsrandom_device.rs

rand_pcg

lib.rspcg128.rspcg64.rs

rand_xorshift

lib.rs

rcgen

lib.rs

regex

literal

imp.rsmod.rs

backtrack.rscache.rscompile.rsdfa.rserror.rsexec.rsexpand.rsfind_byte.rsfreqs.rsinput.rslib.rspikevm.rsprog.rsre_builder.rsre_bytes.rsre_set.rsre_trait.rsre_unicode.rssparse.rsutf8.rs

regex_syntax

ast

mod.rsparse.rsprint.rsvisitor.rs

hir

literal

mod.rs

interval.rsmod.rsprint.rstranslate.rsvisitor.rs

unicode_tables

age.rscase_folding_simple.rsgeneral_category.rsgrapheme_cluster_break.rsmod.rsperl_word.rsproperty_bool.rsproperty_names.rsproperty_values.rsscript.rsscript_extension.rssentence_break.rsword_break.rs

either.rserror.rslib.rsparser.rsunicode.rsutf8.rs

remove_dir_all

lib.rs

ring

aead

aes.rsaes_gcm.rsblock.rschacha.rschacha20_poly1305.rschacha20_poly1305_openssh.rsgcm.rsnonce.rspoly1305.rsquic.rsshift.rs

arithmetic

bigint.rsconstant.rsmontgomery.rs

digest

sha1.rssha2.rs

ec

curve25519

ed25519

signing.rsverification.rs

ed25519.rsops.rsscalar.rsx25519.rs

suite_b

ecdsa

digest_scalar.rssigning.rsverification.rs

ops

elem.rsp256.rsp384.rs

curve.rsecdh.rsecdsa.rsops.rsprivate_key.rspublic_key.rs

curve25519.rskeys.rssuite_b.rs

io

der.rsder_writer.rspositive.rswriter.rs

polyfill

convert.rs

rsa

padding.rssigning.rsverification.rs

aead.rsagreement.rsarithmetic.rsbits.rsbssl.rsc.rsconstant_time.rscpu.rsdebug.rsdigest.rsec.rsendian.rserror.rshkdf.rshmac.rsio.rslib.rslimb.rspbkdf2.rspkcs8.rspolyfill.rsrand.rsrsa.rssignature.rstest.rs

rustc_demangle

legacy.rslib.rsv0.rs

rustls

client

common.rshandy.rshs.rsmod.rstls12.rstls13.rs

msgs

alert.rsbase.rsccs.rscodec.rsdeframer.rsenums.rsfragmenter.rshandshake.rshsjoiner.rsmacros.rsmessage.rsmod.rspersist.rs

server

common.rshandy.rshs.rsmod.rstls12.rstls13.rs

anchors.rsbs_debug.rscipher.rserror.rshandshake.rshash_hs.rskey.rskey_schedule.rskeylog.rslib.rspemfile.rsprf.rsrand.rssession.rssign.rsstream.rssuites.rsticketer.rsutil.rsvecbuf.rsverify.rsx509.rs

scoped_tls

lib.rs

scopeguard

lib.rs

sct

lib.rs

serde

de

from_primitive.rsignored_any.rsimpls.rsmod.rsutf8.rsvalue.rs

private

de.rsmacros.rsmod.rsser.rs

ser

impls.rsimpossible.rsmod.rs

export.rsinteger128.rslib.rsmacros.rs

slab

lib.rs

smallvec

lib.rs

spin

lib.rsmutex.rsonce.rsrw_lock.rs

stream_cancel

combinator.rslib.rswrapper.rs

strsim

lib.rs

syn

gen

gen_helper.rsvisit.rs

attr.rsbigint.rsbuffer.rscustom_keyword.rscustom_punctuation.rsdata.rsderive.rsdiscouraged.rserror.rsexport.rsexpr.rsext.rsfile.rsgenerics.rsgroup.rsident.rsitem.rslib.rslifetime.rslit.rslookahead.rsmac.rsmacros.rsop.rsparse.rsparse_macro_input.rsparse_quote.rspat.rspath.rsprint.rspunctuated.rssealed.rsspan.rsspanned.rsstmt.rsthread.rstoken.rstt.rsty.rs

synstructure

lib.rsmacros.rs

tempfile

file

imp

mod.rsunix.rs

mod.rs

dir.rserror.rslib.rsspooled.rsutil.rs

textwrap

indentation.rslib.rssplitting.rs

thread_local

lib.rsthread_id.rsunreachable.rs

time

display.rsduration.rslib.rsparse.rssys.rs

tokio

codec

length_delimited.rsmod.rs

executor

current_thread

mod.rs

mod.rs

reactor

mod.rspoll_evented.rs

runtime

current_thread

builder.rsmod.rsruntime.rs

threadpool

builder.rsmod.rsshutdown.rstask_executor.rs

mod.rs

util

enumerate.rsfuture.rsmod.rsstream.rs

clock.rsfs.rsio.rslib.rsnet.rsprelude.rssync.rstimer.rs

tokio_codec

bytes_codec.rslib.rslines_codec.rs

tokio_core

io

copy.rsflush.rsframe.rsmod.rsread.rsread_exact.rsread_to_end.rsread_until.rssplit.rswindow.rswrite_all.rs

net

udp

frame.rsmod.rs

mod.rstcp.rs

reactor

interval.rsmod.rspoll_evented.rspoll_evented2.rstimeout.rs

lib.rs

tokio_current_thread

lib.rsscheduler.rs

tokio_executor

enter.rserror.rsexecutor.rsglobal.rslib.rspark.rstyped.rs

tokio_fs

file

clone.rscreate.rsmetadata.rsmod.rsopen.rsopen_options.rsseek.rs

os

mod.rsunix.rs

create_dir.rscreate_dir_all.rshard_link.rslib.rsmetadata.rsread.rsread_dir.rsread_link.rsremove_dir.rsremove_file.rsrename.rsset_permissions.rsstderr.rsstdin.rsstdout.rssymlink_metadata.rswrite.rs

tokio_io

_tokio_codec

decoder.rsencoder.rsframed.rsframed_read.rsframed_write.rsmod.rs

codec

bytes_codec.rsdecoder.rsencoder.rslines_codec.rsmod.rs

io

copy.rsflush.rsmod.rsread.rsread_exact.rsread_to_end.rsread_until.rsshutdown.rswrite_all.rs

allow_std.rsasync_read.rsasync_write.rsframed.rsframed_read.rsframed_write.rslength_delimited.rslib.rslines.rssplit.rswindow.rs

tokio_reactor

background.rslib.rspoll_evented.rsregistration.rssharded_rwlock.rs

tokio_rustls

common

mod.rsvecbuf.rs

client.rslib.rsserver.rs

tokio_sync

mpsc

block.rsbounded.rschan.rslist.rsmod.rsunbounded.rs

task

atomic_task.rsmod.rs

lib.rslock.rsloom.rsoneshot.rssemaphore.rswatch.rs

tokio_tcp

incoming.rslib.rslistener.rsstream.rs

tokio_threadpool

park

boxed.rsdefault_park.rsmod.rs

pool

backup.rsbackup_stack.rsmod.rsstate.rs

task

blocking.rsblocking_state.rsmod.rsstate.rs

worker

entry.rsmod.rsstack.rsstate.rs

blocking.rsbuilder.rscallback.rsconfig.rslib.rsnotifier.rssender.rsshutdown.rsthread_pool.rs

tokio_timer

clock

clock.rsmod.rsnow.rs

timer

atomic_stack.rsentry.rshandle.rsmod.rsnow.rsregistration.rsstack.rs

wheel

level.rsmod.rsstack.rs

atomic.rsdeadline.rsdelay.rsdelay_queue.rserror.rsinterval.rslib.rsthrottle.rstimeout.rs

tokio_udp

frame.rslib.rsrecv_dgram.rssend_dgram.rssocket.rs

tokio_uds

datagram.rsframe.rsincoming.rslib.rslistener.rsrecv_dgram.rssend_dgram.rsstream.rsucred.rs

unicode_width

lib.rstables.rs

unicode_xid

lib.rstables.rs

untrusted

untrusted.rs

vec_map

lib.rs

void

lib.rs

webpki

calendar.rscert.rsder.rserror.rsname.rssigned_data.rstime.rstrust_anchor_util.rsverify_cert.rswebpki.rs

windows_service

lib.rs

x11

dpms.rsglx.rsinternal.rskeysym.rslib.rslink.rsxcursor.rsxf86vmode.rsxfixes.rsxft.rsxinerama.rsxinput.rsxinput2.rsxlib.rsxlib_xcb.rsxmd.rsxmu.rsxrandr.rsxrecord.rsxrender.rsxss.rsxt.rsxtest.rs

xcb

ffi

base.rsbig_requests.rsxc_misc.rsxkb.rsxproto.rs

base.rsbig_requests.rslib.rsxc_misc.rsxkb.rsxproto.rs

xkbcommon

xkb

x11

ffi.rsmod.rs

compose.rsffi.rskeysyms.rsmod.rs

lib.rs

yasna

deserializer

mod.rs

models

der.rsmod.rsoid.rstime.rs

reader

error.rsmod.rs

serializer

mod.rs

tags

mod.rs

writer

mod.rs

lib.rs

>

// Copyright 2015 Brian Smith.
//
// Permission to use, copy, modify, and/or distribute this software for any
// purpose with or without fee is hereby granted, provided that the above
// copyright notice and this permission notice appear in all copies.
//
// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES
// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR
// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

use crate::{
    cert::{self, Cert, EndEntityOrCA},
    der, name, signed_data, time, Error, SignatureAlgorithm, TrustAnchor,
};

pub fn build_chain(
    required_eku_if_present: KeyPurposeId, supported_sig_algs: &[&SignatureAlgorithm],
    trust_anchors: &[TrustAnchor], intermediate_certs: &[&[u8]], cert: &Cert, time: time::Time,
    sub_ca_count: usize,
) -> Result<(), Error> {
    let used_as_ca = used_as_ca(&cert.ee_or_ca);

    check_issuer_independent_properties(
        cert,
        time,
        used_as_ca,
        sub_ca_count,
        required_eku_if_present,
    )?;

    // TODO: HPKP checks.

    match used_as_ca {
        UsedAsCA::Yes => {
            const MAX_SUB_CA_COUNT: usize = 6;

            if sub_ca_count >= MAX_SUB_CA_COUNT {
                return Err(Error::UnknownIssuer);
            }
        },
        UsedAsCA::No => {
            assert_eq!(0, sub_ca_count);
        },
    }

    // TODO: revocation.

    match loop_while_non_fatal_error(trust_anchors, |trust_anchor: &TrustAnchor| {
        let trust_anchor_subject = untrusted::Input::from(trust_anchor.subject);
        if cert.issuer != trust_anchor_subject {
            return Err(Error::UnknownIssuer);
        }

        let name_constraints = trust_anchor.name_constraints.map(untrusted::Input::from);

        untrusted::read_all_optional(name_constraints, Error::BadDER, |value| {
            name::check_name_constraints(value, &cert)
        })?;

        let trust_anchor_spki = untrusted::Input::from(trust_anchor.spki);

        // TODO: check_distrust(trust_anchor_subject, trust_anchor_spki)?;

        check_signatures(supported_sig_algs, cert, trust_anchor_spki)?;

        Ok(())
    }) {
        Ok(()) => {
            return Ok(());
        },
        Err(..) => {
            // If the error is not fatal, then keep going.
        },
    }

    loop_while_non_fatal_error(intermediate_certs, |cert_der| {
        let potential_issuer =
            cert::parse_cert(untrusted::Input::from(*cert_der), EndEntityOrCA::CA(&cert))?;

        if potential_issuer.subject != cert.issuer {
            return Err(Error::UnknownIssuer);
        }

        // Prevent loops; see RFC 4158 section 5.2.
        let mut prev = cert;
        loop {
            if potential_issuer.spki == prev.spki && potential_issuer.subject == prev.subject {
                return Err(Error::UnknownIssuer);
            }
            match &prev.ee_or_ca {
                &EndEntityOrCA::EndEntity => {
                    break;
                },
                &EndEntityOrCA::CA(child_cert) => {
                    prev = child_cert;
                },
            }
        }

        untrusted::read_all_optional(potential_issuer.name_constraints, Error::BadDER, |value| {
            name::check_name_constraints(value, &cert)
        })?;

        let next_sub_ca_count = match used_as_ca {
            UsedAsCA::No => sub_ca_count,
            UsedAsCA::Yes => sub_ca_count + 1,
        };

        build_chain(
            required_eku_if_present,
            supported_sig_algs,
            trust_anchors,
            intermediate_certs,
            &potential_issuer,
            time,
            next_sub_ca_count,
        )
    })
}

fn check_signatures(
    supported_sig_algs: &[&SignatureAlgorithm], cert_chain: &Cert,
    trust_anchor_key: untrusted::Input,
) -> Result<(), Error> {
    let mut spki_value = trust_anchor_key;
    let mut cert = cert_chain;
    loop {
        signed_data::verify_signed_data(supported_sig_algs, spki_value, &cert.signed_data)?;

        // TODO: check revocation

        match &cert.ee_or_ca {
            &EndEntityOrCA::CA(child_cert) => {
                spki_value = cert.spki;
                cert = child_cert;
            },
            &EndEntityOrCA::EndEntity => {
                break;
            },
        }
    }

    Ok(())
}

fn check_issuer_independent_properties(
    cert: &Cert, time: time::Time, used_as_ca: UsedAsCA, sub_ca_count: usize,
    required_eku_if_present: KeyPurposeId,
) -> Result<(), Error> {
    // TODO: check_distrust(trust_anchor_subject, trust_anchor_spki)?;
    // TODO: Check signature algorithm like mozilla::pkix.
    // TODO: Check SPKI like mozilla::pkix.
    // TODO: check for active distrust like mozilla::pkix.

    // See the comment in `remember_extension` for why we don't check the
    // KeyUsage extension.

    cert.validity
        .read_all(Error::BadDER, |value| check_validity(value, time))?;
    untrusted::read_all_optional(cert.basic_constraints, Error::BadDER, |value| {
        check_basic_constraints(value, used_as_ca, sub_ca_count)
    })?;
    untrusted::read_all_optional(cert.eku, Error::BadDER, |value| {
        check_eku(value, required_eku_if_present)
    })?;

    Ok(())
}

// https://tools.ietf.org/html/rfc5280#section-4.1.2.5
fn check_validity(input: &mut untrusted::Reader, time: time::Time) -> Result<(), Error> {
    let not_before = der::time_choice(input)?;
    let not_after = der::time_choice(input)?;

    if not_before > not_after {
        return Err(Error::InvalidCertValidity);
    }
    if time < not_before {
        return Err(Error::CertNotValidYet);
    }
    if time > not_after {
        return Err(Error::CertExpired);
    }

    // TODO: mozilla::pkix allows the TrustDomain to check not_before and
    // not_after, to enforce things like a maximum validity period. We should
    // do something similar.

    Ok(())
}

#[derive(Clone, Copy)]
enum UsedAsCA {
    Yes,
    No,
}

fn used_as_ca(ee_or_ca: &EndEntityOrCA) -> UsedAsCA {
    match ee_or_ca {
        &EndEntityOrCA::EndEntity => UsedAsCA::No,
        &EndEntityOrCA::CA(..) => UsedAsCA::Yes,
    }
}

// https://tools.ietf.org/html/rfc5280#section-4.2.1.9
fn check_basic_constraints(
    input: Option<&mut untrusted::Reader>, used_as_ca: UsedAsCA, sub_ca_count: usize,
) -> Result<(), Error> {
    let (is_ca, path_len_constraint) = match input {
        Some(input) => {
            let is_ca = der::optional_boolean(input)?;

            // https://bugzilla.mozilla.org/show_bug.cgi?id=985025: RFC 5280
            // says that a certificate must not have pathLenConstraint unless
            // it is a CA certificate, but some real-world end-entity
            // certificates have pathLenConstraint.
            let path_len_constraint = if !input.at_end() {
                let value = der::small_nonnegative_integer(input)?;
                Some(value as usize)
            } else {
                None
            };

            (is_ca, path_len_constraint)
        },
        None => (false, None),
    };

    match (used_as_ca, is_ca, path_len_constraint) {
        (UsedAsCA::No, true, _) => Err(Error::CAUsedAsEndEntity),
        (UsedAsCA::Yes, false, _) => Err(Error::EndEntityUsedAsCA),
        (UsedAsCA::Yes, true, Some(len)) if sub_ca_count > len =>
            Err(Error::PathLenConstraintViolated),
        _ => Ok(()),
    }
}

#[derive(Clone, Copy)]
pub struct KeyPurposeId {
    oid_value: untrusted::Input<'static>,
}

// id-pkix            OBJECT IDENTIFIER ::= { 1 3 6 1 5 5 7 }
// id-kp              OBJECT IDENTIFIER ::= { id-pkix 3 }

// id-kp-serverAuth   OBJECT IDENTIFIER ::= { id-kp 1 }
pub static EKU_SERVER_AUTH: KeyPurposeId = KeyPurposeId {
    oid_value: untrusted::Input::from(&[(40 * 1) + 3, 6, 1, 5, 5, 7, 3, 1]),
};

// id-kp-clientAuth   OBJECT IDENTIFIER ::= { id-kp 2 }
pub static EKU_CLIENT_AUTH: KeyPurposeId = KeyPurposeId {
    oid_value: untrusted::Input::from(&[(40 * 1) + 3, 6, 1, 5, 5, 7, 3, 2]),
};

// id-kp-OCSPSigning  OBJECT IDENTIFIER ::= { id-kp 9 }
pub static EKU_OCSP_SIGNING: KeyPurposeId = KeyPurposeId {
    oid_value: untrusted::Input::from(&[(40 * 1) + 3, 6, 1, 5, 5, 7, 3, 9]),
};

// https://tools.ietf.org/html/rfc5280#section-4.2.1.12
//
// Notable Differences from RFC 5280:
//
// * We follow the convention established by Microsoft's implementation and
//   mozilla::pkix of treating the EKU extension in a CA certificate as a
//   restriction on the allowable EKUs for certificates issued by that CA. RFC
//   5280 doesn't prescribe any meaning to the EKU extension when a certificate
//   is being used as a CA certificate.
//
// * We do not recognize anyExtendedKeyUsage. NSS and mozilla::pkix do not
//   recognize it either.
//
// * We treat id-Netscape-stepUp as being equivalent to id-kp-serverAuth in CA
//   certificates (only). Comodo has issued certificates that require this
//   behavior that don't expire until June 2020. See https://bugzilla.mozilla.org/show_bug.cgi?id=982292.
fn check_eku(
    input: Option<&mut untrusted::Reader>, required_eku_if_present: KeyPurposeId,
) -> Result<(), Error> {
    match input {
        Some(input) => {
            loop {
                let value = der::expect_tag_and_get_value(input, der::Tag::OID)?;
                if value == required_eku_if_present.oid_value {
                    input.skip_to_end();
                    break;
                }
                if input.at_end() {
                    return Err(Error::RequiredEKUNotFound);
                }
            }
            Ok(())
        },
        None => {
            // http://tools.ietf.org/html/rfc6960#section-4.2.2.2:
            // "OCSP signing delegation SHALL be designated by the inclusion of
            // id-kp-OCSPSigning in an extended key usage certificate extension
            // included in the OCSP response signer's certificate."
            //
            // A missing EKU extension generally means "any EKU", but it is
            // important that id-kp-OCSPSigning is explicit so that a normal
            // end-entity certificate isn't able to sign trusted OCSP responses
            // for itself or for other certificates issued by its issuing CA.
            if required_eku_if_present.oid_value == EKU_OCSP_SIGNING.oid_value {
                return Err(Error::RequiredEKUNotFound);
            }

            Ok(())
        },
    }
}

fn loop_while_non_fatal_error<V, F>(values: V, f: F) -> Result<(), Error>
where
    V: IntoIterator,
    F: Fn(V::Item) -> Result<(), Error>,
{
    for v in values {
        match f(v) {
            Ok(()) => {
                return Ok(());
            },
            Err(..) => {
                // If the error is not fatal, then keep going.
            },
        }
    }
    Err(Error::UnknownIssuer)
}