Skip to content

Add certificate profile validation against C2PA schemas#8

Open
erik-sv wants to merge 4 commits into
contentauth:mainfrom
encypherai:upstream/feat/cert-profile
Open

Add certificate profile validation against C2PA schemas#8
erik-sv wants to merge 4 commits into
contentauth:mainfrom
encypherai:upstream/feat/cert-profile

Conversation

@erik-sv
Copy link
Copy Markdown

@erik-sv erik-sv commented May 5, 2026

Summary

Adds --cert-profile, --cert-schema, and --emit-cert-json CLI flags for validating X.509 certificates against the C2PA conformance program's certificate profile JSON schemas.

The conformance program defines four certificate profiles: root CA, claim signing issuing CA, claim signing leaf (AL1), and OCSP responder leaf. Each profile has a JSON schema that specifies required extensions, key usage constraints, and naming conventions. Validating a certificate against these schemas before submission catches profile violations early.

The new cert_profile module:

  1. Parses PEM or DER certificates using x509-parser.
  2. Serializes the certificate to the JSON structure expected by the C2PA schemas, including _pyasn1_decoded representations of custom extensions (Authority Information Access, CRL Distribution Points, Subject Alternative Name).
  3. Validates the JSON against the specified Draft 2020-12 JSON Schema using the jsonschema crate.
  4. Reports pass/fail with the specific schema validation errors.

Depends on #7 for shared CLI infrastructure.

Usage

# Validate a leaf certificate against the AL1 profile
c2pa-validate --cert-profile leaf.pem \
  --cert-schema testfiles/c2pa-cert-schemas/claimSigningLeaf.al1.cert.schema.json

# Emit the certificate's JSON representation for debugging
c2pa-validate --cert-profile leaf.pem --emit-cert-json

# Validate a root CA
c2pa-validate --cert-profile root.pem \
  --cert-schema testfiles/c2pa-cert-schemas/rootCA.cert.schema.json

Test plan

  • cargo test cert_profile passes for all integration tests
  • PEM and DER certificate parsing produces identical JSON output
  • Schema validation catches missing required extensions (key usage, basic constraints)
  • --emit-cert-json produces valid JSON matching the schema's expected structure
  • All four C2PA certificate profile schemas included and tested

erik-sv and others added 4 commits May 5, 2026 20:26
@erik-sv
feat: add rubric evaluation to conformance CLI
c2ab954 
Add full rubric evaluation pipeline for the C2PA asset conformance
program's composable rubric framework.

json-formula-rs:
- Add normalize_expression() for bare true/false/null keyword rewriting
- Add arg_count() helper and $argN parameterized named expression support
  in register_expression() with globals injection and save/restore pattern

profile-evaluator-rs:
- Add evaluate_rubric_conformance() for whole-crJSON conformance evaluation
  with failIfMatched support and true/false trait bucketing
- Add evaluate_rubric_signals() for per-manifest signal detection with
  inception/transformation grouping, ingredient index resolution,
  assertedBy extraction, and mimeType derivation
- Support both report_text (profiles) and reportText (rubrics) field names
- 36 golden fixture tests matching upstream Python reference evaluator
  output (1 documented deviation: startsWith array projection in ii2i)

c2pa-validate CLI:
- Add -rubric, -rubric-dir, -rubric-mode (conformance/signals),
  -emit-crjson, -crjson, -rubric-strict flags
- Remove crJSON evaluation bail that blocked rubric eval on crJSON inputs
- Add rubric_results to CrJsonValidationReport for structured output

Test fixtures:
- 5 rubric YAML files from c2pa-org/conformance PR #324
- 18 golden test scenarios (54 files) from upstream test suite
@erik-sv
feat: add untrusted asset rubric evaluation pipeline
8f52f57 
When --rubric is used with binary assets, the CLI now extracts crJSON
and runs rubric evaluation even when trust verification fails. This
supports the conformance program onboarding workflow where products
use self-signed certificates before receiving program-issued certs.

The pipeline attempts trust verification first, then falls back to
reading with verify_trust disabled. The crJSON validationResults still
reflect the untrusted state, so the trusted_success trait fails as
expected while all other conformance traits can be evaluated.

Also fix structured JSON output for CrJsonValidation report items so
rubric results are properly serialized instead of null.
@erik-sv
fix: update json-formula-rs and profile-evaluator-rs for expression h…
f00f375 
…andling

Move $argN injection and bare-keyword normalization from json-formula-rs
to profile-evaluator-rs. This keeps json-formula-rs upstream-compatible
while supporting parameterized named expressions in rubric evaluation.

json-formula-rs retains only register_function() and globals_mut() as
additions over upstream. All expression preprocessing now runs in the
evaluator layer at registration time.
@erik-sv
feat(cert-profile): add certificate profile validation against C2PA s…
2ddf6b9 
…chemas

Add --cert-profile, --cert-schema, and --emit-cert-json CLI flags for
validating X.509 certificates against the C2PA conformance program's
certificate profile JSON schemas. The new cert_profile module parses
PEM/DER certificates using x509-parser, serializes them to the JSON
format expected by the schemas (including _pyasn1_decoded for custom
C2PA extensions), and validates against Draft 2020-12 JSON Schema.

Supports all four C2PA certificate profiles: root CA, claim signing
issuing CA, claim signing leaf (AL1), and OCSP responder leaf.

Bump version to 0.4.0.
@erik-sv erik-sv closed this May 5, 2026
@erik-sv erik-sv reopened this May 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@erik-sv