kipuka/config/cmp.rs
1//! CMP v3 configuration (RFC 9810).
2//!
3//! The `[cmp]` section enables the Certificate Management Protocol
4//! endpoint at `/.well-known/cmp`. CMP provides a comprehensive
5//! certificate lifecycle protocol with its own ASN.1 message format.
6
7use serde::Deserialize;
8
9/// `[cmp]` section — CMP v3 certificate management endpoint.
10///
11/// ```toml
12/// [cmp]
13/// enabled = true
14/// allow_ir = true
15/// allow_cr = true
16/// allow_kur = true
17/// allow_rr = false
18/// allow_mac_protection = true
19/// mac_algorithm = "hmac-sha256"
20/// ```
21#[derive(Debug, Clone, Deserialize)]
22#[serde(deny_unknown_fields)]
23pub struct CmpConfig {
24 /// Enable the CMP endpoint.
25 #[serde(default)]
26 pub enabled: bool,
27
28 /// Allow initialization requests (new enrollment).
29 #[serde(default = "default_true")]
30 pub allow_ir: bool,
31
32 /// Allow certification requests.
33 #[serde(default = "default_true")]
34 pub allow_cr: bool,
35
36 /// Allow key update requests.
37 #[serde(default = "default_true")]
38 pub allow_kur: bool,
39
40 /// Allow revocation requests via CMP.
41 #[serde(default)]
42 pub allow_rr: bool,
43
44 /// Allow MAC-based protection for initial enrollment.
45 #[serde(default = "default_true")]
46 pub allow_mac_protection: bool,
47
48 /// MAC algorithm for shared-secret protection.
49 #[serde(default = "default_mac_algorithm")]
50 pub mac_algorithm: String,
51
52 /// Certificate profile for cross-certification requests.
53 #[serde(default)]
54 pub reference_cert_profile: Option<String>,
55}
56
57fn default_true() -> bool {
58 true
59}
60
61fn default_mac_algorithm() -> String {
62 "hmac-sha256".to_string()
63}
64
65impl Default for CmpConfig {
66 fn default() -> Self {
67 Self {
68 enabled: false,
69 allow_ir: true,
70 allow_cr: true,
71 allow_kur: true,
72 allow_rr: false,
73 allow_mac_protection: true,
74 mac_algorithm: default_mac_algorithm(),
75 reference_cert_profile: None,
76 }
77 }
78}