use base64::Engine; use url::Url; #[derive(Clone, Debug, PartialEq, Eq)] pub struct Tal { pub raw: Vec, pub comments: Vec, pub ta_uris: Vec, pub subject_public_key_info_der: Vec, } #[derive(Debug, thiserror::Error)] pub enum TalDecodeError { #[error("TAL must be valid UTF-8 (RFC 8630 §2.2)")] InvalidUtf8, #[error("TAL comments must appear only at the beginning (RFC 8630 §2.2)")] CommentAfterHeader, #[error("TAL must contain at least one TA URI line (RFC 8630 §2.2)")] MissingTaUris, #[error("TAL must contain an empty line separator between URI list and SPKI base64 (RFC 8630 §2.2)")] MissingSeparatorEmptyLine, #[error("TAL TA URI invalid: {0} (RFC 8630 §2.2)")] InvalidUri(String), #[error("TAL TA URI scheme must be rsync or https, got {0} (RFC 8630 §2.2)")] UnsupportedUriScheme(String), #[error("TAL TA URI must reference a single object (must not end with '/'): {0} (RFC 8630 §2.3)")] UriIsDirectory(String), #[error("TAL must contain base64-encoded SubjectPublicKeyInfo after the separator (RFC 8630 §2.2)")] MissingSpki, #[error("TAL SPKI base64 decode failed (RFC 8630 §2.2)")] SpkiBase64Decode, #[error("TAL SPKI DER is empty (RFC 8630 §2.2)")] SpkiDerEmpty, } impl Tal { pub fn decode_bytes(input: &[u8]) -> Result { let raw = input.to_vec(); let text = std::str::from_utf8(input).map_err(|_| TalDecodeError::InvalidUtf8)?; let lines: Vec<&str> = text .split('\n') .map(|l| l.strip_suffix('\r').unwrap_or(l)) .collect(); let mut idx = 0usize; // 1) Leading comments. let mut comments: Vec = Vec::new(); while idx < lines.len() && lines[idx].starts_with('#') { comments.push(lines[idx][1..].to_string()); idx += 1; } // 2) URI list (one or more non-empty lines). let mut ta_uris: Vec = Vec::new(); while idx < lines.len() { let line = lines[idx].trim(); if line.is_empty() { break; } if line.starts_with('#') { return Err(TalDecodeError::CommentAfterHeader); } let url = match Url::parse(line) { Ok(u) => u, Err(_) => { if !ta_uris.is_empty() { return Err(TalDecodeError::MissingSeparatorEmptyLine); } return Err(TalDecodeError::InvalidUri(line.to_string())); } }; match url.scheme() { "rsync" | "https" => {} s => return Err(TalDecodeError::UnsupportedUriScheme(s.to_string())), } if url.path().ends_with('/') { return Err(TalDecodeError::UriIsDirectory(line.to_string())); } if url.path_segments().and_then(|mut s| s.next_back()).unwrap_or("").is_empty() { return Err(TalDecodeError::UriIsDirectory(line.to_string())); } ta_uris.push(url); idx += 1; } if ta_uris.is_empty() { return Err(TalDecodeError::MissingTaUris); } // 3) Empty line separator (must exist). if idx >= lines.len() || !lines[idx].trim().is_empty() { return Err(TalDecodeError::MissingSeparatorEmptyLine); } idx += 1; // 4) Base64(SPKI DER) remainder; allow line wrapping. let mut b64 = String::new(); while idx < lines.len() { let line = lines[idx].trim(); if !line.is_empty() { b64.push_str(line); } idx += 1; } if b64.is_empty() { return Err(TalDecodeError::MissingSpki); } let spki_der = base64::engine::general_purpose::STANDARD .decode(b64.as_bytes()) .map_err(|_| TalDecodeError::SpkiBase64Decode)?; if spki_der.is_empty() { return Err(TalDecodeError::SpkiDerEmpty); } Ok(Self { raw, comments, ta_uris, subject_public_key_info_der: spki_der, }) } }