x509-cert: provide hash method to certificate

baloo · baloo · commit 61342eb5c2cb · 2025-04-20T18:34:44.000Z
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/cmpv2/Cargo.toml b/cmpv2/Cargo.toml
@@ -32,7 +32,7 @@ alloc = ["der/alloc"]
 std = ["der/std", "spki/std"]
 
 pem = ["alloc", "der/pem"]
-digest = ["dep:digest", "spki/digest"]
+digest = ["dep:digest", "x509-cert/digest"]
 
 [package.metadata.docs.rs]
 all-features = true
diff --git a/cmpv2/src/oob.rs b/cmpv2/src/oob.rs
@@ -9,8 +9,7 @@ use x509_cert::certificate::{Profile, Rfc5280};
 
 #[cfg(feature = "digest")]
 use {
-    der::{Encode, asn1::Null, oid::AssociatedOid},
-    spki::DigestWriter,
+    der::{asn1::Null, oid::AssociatedOid},
     x509_cert::{certificate::CertificateInner, ext::pkix::name::GeneralName},
 };
 
@@ -67,10 +66,6 @@ where
     where
         D: digest::Digest + AssociatedOid,
     {
-        let mut digest = D::new();
-
-        cert.encode(&mut DigestWriter(&mut digest))?;
-
         Ok(Self {
             hash_alg: Some(AlgorithmIdentifierOwned {
                 oid: D::OID,
@@ -81,7 +76,7 @@ where
                 issuer: GeneralName::DirectoryName(cert.tbs_certificate().issuer().clone()),
                 serial_number: cert.tbs_certificate().serial_number().clone(),
             }),
-            hash_val: BitString::from_bytes(&digest.finalize())?,
+            hash_val: BitString::from_bytes(&cert.hash::<D>()?)?,
         })
     }
 }
diff --git a/x509-cert/Cargo.toml b/x509-cert/Cargo.toml
@@ -22,6 +22,7 @@ spki = { version = "0.8.0-rc.0", features = ["alloc"] }
 
 # optional dependencies
 arbitrary = { version = "1.4", features = ["derive"], optional = true }
+digest = { version = "0.11.0-pre.10", optional = true, default-features = false }
 sha1 = { version = "0.11.0-pre.5", optional = true }
 signature = { version = "=2.3.0-pre.6", features = ["rand_core"], optional = true }
 tls_codec = { version = "0.4.0", default-features = false, features = ["derive"], optional = true }
@@ -44,6 +45,7 @@ std = ["der/std", "spki/std", "tls_codec?/std"]
 
 arbitrary = ["dep:arbitrary", "std", "der/arbitrary", "spki/arbitrary"]
 builder = ["std", "sha1/default", "signature"]
+digest = ["dep:digest", "spki/digest"]
 hazmat = []
 pem = ["der/pem", "spki/pem"]
 sct = ["dep:tls_codec"]
diff --git a/x509-cert/src/certificate.rs b/x509-cert/src/certificate.rs
@@ -13,6 +13,13 @@ use der::{
     pem::{self, PemLabel},
 };
 
+#[cfg(feature = "digest")]
+use {
+    der::Encode,
+    digest::{Digest, Output},
+    spki::DigestWriter,
+};
+
 use crate::time::Time;
 
 /// [`Profile`] allows the consumer of this crate to customize the behavior when parsing
@@ -420,3 +427,21 @@ impl<P: Profile> CertificateInner<P> {
         Ok(certs)
     }
 }
+
+#[cfg(feature = "digest")]
+impl<P> CertificateInner<P>
+where
+    P: Profile,
+{
+    /// Return the hash of the DER serialization of this cetificate
+    pub fn hash<D>(&self) -> der::Result<Output<D>>
+    where
+        D: Digest,
+    {
+        let mut digest = D::new();
+
+        self.encode(&mut DigestWriter(&mut digest))?;
+
+        Ok(digest.finalize())
+    }
+}
