Move check_key_usage() into KeyUsageMode impl

djc · ctz · commit 1191c98c81f2 · 2023-07-26T10:34:27.000+01:00
diff --git a/src/verify_cert.rs b/src/verify_cert.rs
@@ -211,7 +211,7 @@ fn check_crls(
         .map_err(crl_signature_err)?;
 
     // Verify that if the issuer has a KeyUsage bitstring it asserts cRLSign.
-    check_key_usage(issuer_ku, KeyUsageMode::CrlSign)?;
+    KeyUsageMode::CrlSign.check(issuer_ku)?;
 
     // Try to find the cert serial in the verified CRL contents.
     let cert_serial = cert.serial.as_slice_less_safe();
@@ -430,6 +430,7 @@ pub(crate) static EKU_OCSP_SIGNING: KeyPurposeId =
 
 // https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.3
 #[repr(u8)]
+#[derive(Clone, Copy)]
 enum KeyUsageMode {
     // DigitalSignature = 0,
     // ContentCommitment = 1,
@@ -442,24 +443,23 @@ enum KeyUsageMode {
     // DecipherOnly = 8,
 }
 
-// https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.3
-fn check_key_usage(
-    input: Option<untrusted::Input>,
-    required_ku_bit_if_present: KeyUsageMode,
-) -> Result<(), Error> {
-    let bit_string = match input {
-        Some(input) => input,
-        // While RFC 5280 requires KeyUsage be present, historically the absence of a KeyUsage
-        // has been treated as "Any Usage". We follow that convention here and assume the absence
-        // of KeyUsage implies the required_ku_bit_if_present we're checking for.
-        None => return Ok(()),
-    };
+impl KeyUsageMode {
+    // https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.3
+    fn check(self, input: Option<untrusted::Input>) -> Result<(), Error> {
+        let bit_string = match input {
+            Some(input) => input,
+            // While RFC 5280 requires KeyUsage be present, historically the absence of a KeyUsage
+            // has been treated as "Any Usage". We follow that convention here and assume the absence
+            // of KeyUsage implies the required_ku_bit_if_present we're checking for.
+            None => return Ok(()),
+        };
 
-    let flags = der::bit_string_flags(&mut untrusted::Reader::new(bit_string))?;
-    #[allow(clippy::as_conversions)] // u8 always fits in usize.
-    match flags.bit_set(required_ku_bit_if_present as usize) {
-        true => Ok(()),
-        false => Err(Error::IssuerNotCrlSigner),
+        let flags = der::bit_string_flags(&mut untrusted::Reader::new(bit_string))?;
+        #[allow(clippy::as_conversions)] // u8 always fits in usize.
+        match flags.bit_set(self as usize) {
+            true => Ok(()),
+            false => Err(Error::IssuerNotCrlSigner),
+        }
     }
 }
 
