Struct CertificationRequest 

pub struct CertificationRequest {
    pub version: u8,
    pub subject: String,
    pub key_algorithm: KeyAlgorithm,
    pub subject_public_key_info: Vec<u8>,
    pub signature_algorithm: String,
    pub signature: Vec<u8>,
    pub subject_alt_names: Vec<String>,
    pub key_usage: Vec<String>,
    pub challenge_password: Option<String>,
    pub tbs_der: Vec<u8>,
}

Parsed PKCS#10 Certification Request per RFC 2986 §4.

CertificationRequest ::= SEQUENCE {
    certificationRequestInfo  CertificationRequestInfo,
    signatureAlgorithm        AlgorithmIdentifier{{ SignatureAlgorithms }},
    signature                 BIT STRING
}

This struct represents the logical structure of a parsed CSR. The actual DER parsing is performed by the CA module using the synta crate; this struct captures the extracted fields for EST protocol-level processing.

Fields

version: u8

CSR version (0 = v1 per RFC 2986 §4.1).

subject: String

Subject distinguished name (e.g., “CN=example.com,O=ACME,C=US”).

key_algorithm: KeyAlgorithm

Key algorithm from SubjectPublicKeyInfo.

subject_public_key_info: Vec<u8>

DER-encoded SubjectPublicKeyInfo.

signature_algorithm: String

Signature algorithm OID (e.g., ML-DSA-65, sha256WithRSAEncryption).

signature: Vec<u8>

DER-encoded signature BIT STRING value.

subject_alt_names: Vec<String>

Subject Alternative Names extracted from the extensionRequest attribute (OID 1.2.840.113549.1.9.14) per RFC 2986 §4.1 and RFC 5280 §4.2.1.6.

key_usage: Vec<String>

Key usage flags from the extensionRequest attribute, if present.

challenge_password: Option<String>

ChallengePassword attribute (OID 1.2.840.113549.1.9.7) per RFC 2986 §4.1.

When present, this carries a shared secret (e.g., OTP) for binding the CSR to a pre-authorized enrollment. See also RFC 7030 §3.2.3.

tbs_der: Vec<u8>

Raw DER of the CertificationRequestInfo for signature verification.

Implementations

impl CertificationRequest

pub fn verify_self_signature(&self) -> EstResult<()>

Verify the CSR self-signature over CertificationRequestInfo.

RFC 2986 §3: “The signature process consists of two steps:

1. The value of the certificationRequestInfo component is DER encoded, producing an octet string.
2. The result of step 1 is signed with the certification request subject’s private key under the specified signature algorithm.“

This method validates that the signature was produced by the private key corresponding to the public key in subject_public_key_info. Full cryptographic verification is delegated to the CA module.

pub fn validate_challenge_password(&self, expected: &str) -> EstResult<()>

Validate the challengePassword attribute if present.

Per RFC 2986 §4.1 the challengePassword attribute (OID 1.2.840.113549.1.9.7) carries a password for identity verification. When used with EST OTP binding, this password must match the pre-provisioned OTP.

Trait Implementations

impl Clone for CertificationRequest

fn clone(&self) -> CertificationRequest

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for CertificationRequest

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl PartialEq for CertificationRequest

fn eq(&self, other: &CertificationRequest) -> bool

Tests for self and other values to be equal, and is used by ==.

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.

impl Eq for CertificationRequest

impl StructuralPartialEq for CertificationRequest