Skip to main content

verify_cms_signed_data

kipuka::auth::cms_auth

Function verify_cms_signed_data 

Source 
pub fn verify_cms_signed_data(
    signed_data_der: &[u8],
    truststore: &[Vec<u8>],
) -> Result<CmsVerificationResult, KipukaError>
Expand description

Verify a CMS SignedData message and extract the payload.

RFC 8295 §3.1: The EST server performs the following steps:

  1. Parse the outer ContentInfo (DER) and verify contentType is id-signedData (OID 1.2.840.113549.1.7.2).
  2. Extract the SignerInfo — exactly one signer is expected for EST.
  3. Locate the signer’s certificate in the certificates field.
  4. Verify the signature using the signer’s public key and the digestAlgorithm + signatureAlgorithm from SignerInfo.
  5. Validate the signer’s certificate chain against truststore:
    • Build a chain from the signer cert to a trust anchor.
    • Check validity periods (notBefore/notAfter).
    • Check revocation status (CRL/OCSP) if configured.
  6. Extract the eContent from encapContentInfo — the unwrapped payload (CSR).

§Arguments

  • signed_data_der — DER-encoded CMS ContentInfo containing SignedData.
  • truststore — DER-encoded trust anchor certificates to verify the signer’s certificate chain against.

§Errors

  • KipukaError::BadRequest — malformed CMS, missing signer, empty payload.
  • KipukaError::Auth — signature verification failure, untrusted signer.
  • KipukaError::Internal — crypto operations not yet implemented.