feat(api): add Intel DCAP API client module

Introduced a new `intel-dcap-api` crate for interacting with Intel's DCAP APIs.
- Implemented various API client functionalities for SGX/TDX attestation services.
- Added support for registration, certification, enclave identity, and FMSPC retrieval.

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>

Cargo.lock

@@ -2603,6 +2603,21 @@ dependencies = [
  "generic-array",
 ]
 
+[[package]]
+name = "intel-dcap-api"
+version = "0.3.0"
+dependencies = [
+ "hex",
+ "percent-encoding",
+ "reqwest",
+ "serde",
+ "serde_json",
+ "thiserror 2.0.11",
+ "tokio",
+ "url",
+ "x509-cert",
+]
+
 [[package]]
 name = "intel-tee-quote-verification-sys"
 version = "0.2.1"

Cargo.toml

@@ -31,6 +31,7 @@ enumset = { version = "1.1", features = ["serde"] }
 getrandom = { version = "0.3.1", features = ["std"] }
 gpt = "4.0.0"
 hex = { version = "0.4.3", features = ["std"], default-features = false }
+intel-dcap-api = { path = "crates/intel-dcap-api" }
 num-integer = "0.1.46"
 num-traits = "0.2.18"
 opentelemetry = { version = "0.28.0", features = ["default", "logs"] }
@@ -65,5 +66,5 @@ tracing-log = "0.2"
 tracing-subscriber = { version = "0.3", features = ["env-filter", "json", "ansi"] }
 tracing-test = { version = "0.2.5", features = ["no-env-filter"] }
 url = "2.5.2"
-x509-cert = { version = "0.2", features = ["builder", "signature"] }
+x509-cert = { version = "0.2", features = ["builder", "signature", "default"] }
 zeroize = { version = "1.7.0", features = ["serde"] }

crates/intel-dcap-api/Cargo.toml

@@ -0,0 +1,27 @@
+[package]
+name = "intel-dcap-api"
+version.workspace = true
+edition.workspace = true
+authors.workspace = true
+license.workspace = true
+repository.workspace = true
+homepage.workspace = true
+keywords = ["sgx", "tdx", "intel", "attestation", "confidential"]
+categories = ["api-bindings", "cryptography", "authentication"]
+
+[dependencies]
+percent-encoding = "2.3.1"
+reqwest = { workspace = true, features = ["json"] }
+serde.workspace = true
+serde_json.workspace = true
+thiserror.workspace = true
+tokio.workspace = true
+url.workspace = true
+
+[dev-dependencies]
+hex.workspace = true
+x509-cert.workspace = true
+
+[features]
+default = ["reqwest/default-tls"]
+rustls = ["reqwest/rustls-tls"]

crates/intel-dcap-api/examples/example.rs

@@ -0,0 +1,78 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright (c) 2025 Matter Labs
+
+use intel_dcap_api::{
+    ApiClient, ApiVersion, CaType, CrlEncoding, EnclaveIdentityResponse, IntelApiError,
+    PckCrlResponse, PlatformFilter, TcbInfoResponse,
+};
+
+#[tokio::main]
+async fn main() -> Result<(), IntelApiError> {
+    for api_version in [ApiVersion::V3, ApiVersion::V4] {
+        println!("Using API version: {}", api_version);
+
+        let client = ApiClient::new_with_version(api_version)?;
+
+        // Example: Get SGX TCB Info
+        let fmspc_example = "00606A000000"; // Example FMSPC from docs
+        match client.get_sgx_tcb_info(fmspc_example, None, None).await {
+            Ok(TcbInfoResponse {
+                tcb_info_json,
+                issuer_chain,
+            }) => println!(
+                "SGX TCB Info for {}:\n{}\nIssuer Chain: {}",
+                fmspc_example, tcb_info_json, issuer_chain
+            ),
+            Err(e) => eprintln!("Error getting SGX TCB info: {}", e),
+        }
+
+        // Example: Get FMSPCs
+        match client.get_fmspcs(Some(PlatformFilter::E3)).await {
+            // Filter for E3 platform type [cite: 230]
+            Ok(fmspc_list) => println!("\nE3 FMSPCs:\n{}", fmspc_list),
+            Err(e) => eprintln!("Error getting FMSPCs: {}", e),
+        }
+
+        // Example: Get SGX QE Identity
+        match client.get_sgx_qe_identity(None, None).await {
+            Ok(EnclaveIdentityResponse {
+                enclave_identity_json,
+                issuer_chain,
+            }) => {
+                println!(
+                    "\nSGX QE Identity:\n{}\nIssuer Chain: {}",
+                    enclave_identity_json, issuer_chain
+                )
+            }
+            Err(e) => eprintln!("Error getting SGX QE Identity: {}", e),
+        }
+
+        // Example: Get PCK CRL (Platform CA, PEM encoding)
+        match client
+            .get_pck_crl(CaType::Platform, Some(CrlEncoding::Pem))
+            .await
+        {
+            // [cite: 118, 119]
+            Ok(PckCrlResponse {
+                crl_data,
+                issuer_chain,
+            }) => {
+                // Attempt to decode PEM for display, otherwise show byte count
+                match String::from_utf8(crl_data.clone()) {
+                    Ok(pem_string) => println!(
+                        "\nPlatform PCK CRL (PEM):\n{}\nIssuer Chain: {}",
+                        pem_string, issuer_chain
+                    ),
+                    Err(_) => println!(
+                        "\nPlatform PCK CRL ({} bytes, likely DER):\nIssuer Chain: {}",
+                        crl_data.len(),
+                        issuer_chain
+                    ),
+                }
+            }
+            Err(e) => eprintln!("Error getting PCK CRL: {}", e),
+        }
+    }
+
+    Ok(())
+}

crates/intel-dcap-api/examples/get_pck_crl.rs

@@ -0,0 +1,75 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright (c) 2025 Matter Labs
+
+use intel_dcap_api::{ApiClient, CaType, CrlEncoding, IntelApiError, PckCrlResponse};
+use x509_cert::{
+    der::{oid::AssociatedOid, Decode, SliceReader},
+    ext::pkix::{
+        crl::dp::DistributionPoint,
+        name::{DistributionPointName, GeneralName},
+        CrlDistributionPoints,
+    },
+};
+
+#[tokio::main]
+async fn main() -> Result<(), IntelApiError> {
+    let client = ApiClient::new()?;
+
+    let PckCrlResponse {
+        crl_data,
+        issuer_chain,
+    } = client
+        .get_pck_crl(CaType::Platform, Some(CrlEncoding::Der))
+        .await?;
+
+    let certs = x509_cert::certificate::CertificateInner::<
+        x509_cert::certificate::Rfc5280
+    >::load_pem_chain(issuer_chain.as_bytes()).map_err(
+        |_| IntelApiError::InvalidParameter("Could not load a PEM chain")
+    )?;
+
+    for cert in certs {
+        println!("Issuer: {}", cert.tbs_certificate.issuer);
+        println!("Subject: {}", cert.tbs_certificate.subject);
+        println!("Serial Number: {}", cert.tbs_certificate.serial_number);
+        println!("Not Before: {}", cert.tbs_certificate.validity.not_before);
+        println!("Not After: {}", cert.tbs_certificate.validity.not_after);
+
+        // Extract and print CRL distribution points
+        if let Some(extensions) = &cert.tbs_certificate.extensions {
+            for ext in extensions.iter() {
+                if ext.extn_id == CrlDistributionPoints::OID {
+                    // Create a SliceReader from the byte slice
+                    let mut reader = SliceReader::new(ext.extn_value.as_bytes()).map_err(|_| {
+                        IntelApiError::InvalidParameter(
+                            "Could not create reader from extension value",
+                        )
+                    })?;
+
+                    // Now pass the reader to decode_value
+                    if let Ok(dist_points) = Vec::<DistributionPoint>::decode(&mut reader) {
+                        for point in dist_points {
+                            if let Some(DistributionPointName::FullName(names)) =
+                                point.distribution_point
+                            {
+                                for name in names {
+                                    if let GeneralName::UniformResourceIdentifier(uri) = name {
+                                        let uri = uri.as_str();
+                                        let crl_bytes = reqwest::get(uri).await?.bytes().await?;
+                                        println!("CRL bytes (hex): {}", hex::encode(&crl_bytes));
+                                    }
+                                }
+                            }
+                        }
+                    } else {
+                        println!("Could not decode CRL distribution points");
+                    }
+                }
+            }
+        }
+    }
+
+    println!("CRL bytes (hex): {}", hex::encode(&crl_data));
+
+    Ok(())
+}

crates/intel-dcap-api/src/error.rs

@@ -0,0 +1,104 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright (c) 2025 Matter Labs
+
+use reqwest::{Response, StatusCode};
+use thiserror::Error;
+
+/// Represents all possible errors that can occur when interacting with Intel's DCAP API.
+#[derive(Error, Debug)]
+pub enum IntelApiError {
+    /// Indicates that the requested API version or feature is unsupported.
+    #[error("Unsupported API version or feature: {0}")]
+    UnsupportedApiVersion(String),
+
+    /// Wraps an underlying reqwest error.
+    #[error("Reqwest error: {0}")]
+    Reqwest(#[from] reqwest::Error),
+
+    /// Wraps a URL parsing error.
+    #[error("URL parsing error: {0}")]
+    UrlParse(#[from] url::ParseError),
+
+    /// Wraps a Serde JSON error.
+    #[error("Serde JSON error: {0}")]
+    JsonError(#[from] serde_json::Error),
+
+    /// Represents a general API error, capturing the HTTP status and optional error details.
+    #[error("API Error: Status={status}, Request-ID={request_id}, Code={error_code:?}, Message={error_message:?}")]
+    ApiError {
+        /// HTTP status code returned by the API.
+        status: StatusCode,
+        /// The unique request identifier for tracing errors.
+        request_id: String,
+        /// An optional server-provided error code.
+        error_code: Option<String>,
+        /// An optional server-provided error message.
+        error_message: Option<String>,
+    },
+
+    /// Indicates that a header is missing or invalid.
+    #[error("Header missing or invalid: {0}")]
+    MissingOrInvalidHeader(&'static str),
+
+    /// Represents an invalid subscription key.
+    #[error("Invalid Subscription Key format")]
+    InvalidSubscriptionKey,
+
+    /// Indicates that conflicting parameters were supplied.
+    #[error("Cannot provide conflicting parameters: {0}")]
+    ConflictingParameters(&'static str),
+
+    /// Wraps a standard I/O error.
+    #[error("I/O Error: {0}")]
+    Io(#[from] std::io::Error),
+
+    /// Represents an error while parsing a header's value.
+    #[error("Header value parse error for '{0}': {1}")]
+    HeaderValueParse(&'static str, String),
+
+    /// Indicates an invalid parameter was provided.
+    #[error("Invalid parameter value: {0}")]
+    InvalidParameter(&'static str),
+}
+
+/// Extracts common API error details from response headers.
+pub(crate) fn extract_api_error_details(
+    response: &Response,
+) -> (String, Option<String>, Option<String>) {
+    let request_id = response
+        .headers()
+        .get("Request-ID")
+        .and_then(|v| v.to_str().ok())
+        .unwrap_or("Unknown")
+        .to_string();
+    let error_code = response
+        .headers()
+        .get("Error-Code")
+        .and_then(|v| v.to_str().ok())
+        .map(String::from);
+    let error_message = response
+        .headers()
+        .get("Error-Message")
+        .and_then(|v| v.to_str().ok())
+        .map(String::from);
+    (request_id, error_code, error_message)
+}
+
+/// Checks the response status and returns an ApiError if it's not one of the expected statuses.
+pub(crate) async fn check_status(
+    response: Response,
+    expected_statuses: &[StatusCode],
+) -> Result<Response, IntelApiError> {
+    let status = response.status();
+    if expected_statuses.contains(&status) {
+        Ok(response)
+    } else {
+        let (request_id, error_code, error_message) = extract_api_error_details(&response);
+        Err(IntelApiError::ApiError {
+            status,
+            request_id,
+            error_code,
+            error_message,
+        })
+    }
+}

crates/intel-dcap-api/src/lib.rs

@@ -0,0 +1,53 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright (c) 2025 Matter Labs
+
+//! Intel API Client
+//!
+//! This module provides an API client for interacting with the Intel API for Trusted Services.
+//! The API follows the documentation found at [Intel API Documentation](https://api.portal.trustedservices.intel.com/content/documentation.html).
+//!
+//! Create an [`ApiClient`] to interface with the Intel API.
+//!
+//! Example
+//! ```rust,no_run
+//! use intel_dcap_api::{ApiClient, IntelApiError, TcbInfoResponse};
+//!
+//! #[tokio::main]
+//! async fn main() -> Result<(), IntelApiError> {
+//!    let client = ApiClient::new()?;
+//!
+//!    // Example: Get SGX TCB Info
+//!    let fmspc_example = "00606A000000"; // Example FMSPC from docs
+//!    match client.get_sgx_tcb_info(fmspc_example, None, None).await {
+//!        Ok(TcbInfoResponse {
+//!               tcb_info_json,
+//!               issuer_chain,
+//!           }) => println!(
+//!            "SGX TCB Info for {}:\n{}\nIssuer Chain: {}",
+//!           fmspc_example, tcb_info_json, issuer_chain
+//!        ),
+//!        Err(e) => eprintln!("Error getting SGX TCB info: {}", e),
+//!    }
+//!
+//!    Ok(())
+//! }
+//! ```
+
+#![deny(missing_docs)]
+#![deny(clippy::all)]
+
+mod client;
+mod error;
+mod requests;
+mod responses;
+mod types;
+
+// Re-export public items
+pub use client::ApiClient;
+pub use error::IntelApiError;
+pub use responses::{
+    AddPackageResponse, EnclaveIdentityJson, EnclaveIdentityResponse, FmspcJsonResponse,
+    PckCertificateResponse, PckCertificatesResponse, PckCrlResponse, TcbEvaluationDataNumbersJson,
+    TcbEvaluationDataNumbersResponse, TcbInfoJson, TcbInfoResponse,
+};
+pub use types::{ApiVersion, CaType, CrlEncoding, PlatformFilter, UpdateType};

crates/intel-dcap-api/src/requests.rs

@@ -0,0 +1,28 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright (c) 2025 Matter Labs
+
+use serde::Serialize;
+
+#[derive(Serialize)]
+pub(crate) struct PckCertRequest<'a> {
+    #[serde(rename = "platformManifest")]
+    pub(crate) platform_manifest: &'a str,
+    pub(crate) cpusvn: &'a str,
+    pub(crate) pcesvn: &'a str,
+    pub(crate) pceid: &'a str,
+}
+
+#[derive(Serialize)]
+pub(crate) struct PckCertsRequest<'a> {
+    #[serde(rename = "platformManifest")]
+    pub(crate) platform_manifest: &'a str,
+    pub(crate) pceid: &'a str,
+}
+
+#[derive(Serialize)]
+pub(crate) struct PckCertsConfigRequest<'a> {
+    #[serde(rename = "platformManifest")]
+    pub(crate) platform_manifest: &'a str,
+    pub(crate) cpusvn: &'a str,
+    pub(crate) pceid: &'a str,
+}

crates/intel-dcap-api/src/responses.rs

@@ -0,0 +1,111 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright (c) 2025 Matter Labs
+
+/// JSON structure as defined in Appendix A of the API spec.
+/// Content may vary slightly between API v3 and v4.
+pub type TcbInfoJson = String;
+
+/// JSON structure as defined in Appendix B of the API spec.
+/// Content may vary slightly between API v3 and v4.
+pub type EnclaveIdentityJson = String;
+
+/// JSON Array of {tcb, tcbm, cert}.
+/// Content structure expected to be consistent between v3 and v4.
+pub type PckCertsJsonResponse = String;
+
+/// JSON Array of {fmspc, platform}.
+/// Content structure expected to be consistent between v3 and v4.
+pub type FmspcJsonResponse = String;
+
+/// JSON structure as defined in Appendix C of the API spec (V4 ONLY).
+pub type TcbEvaluationDataNumbersJson = String;
+
+/// Response structure for a PCK (Platform Configuration Key) Certificate.
+///
+/// Contains the PCK certificate, its issuer chain, TCB measurement, and FMSPC value.
+#[derive(Debug, Clone)]
+pub struct PckCertificateResponse {
+    /// PEM-encoded PCK certificate.
+    pub pck_cert_pem: String,
+    /// PEM-encoded certificate chain for the PCK certificate issuer.
+    /// Header name differs between v3 ("PCS-Certificate-Issuer-Chain") and v4 ("SGX-PCK-Certificate-Issuer-Chain").
+    pub issuer_chain: String,
+    /// TCBm value associated with the certificate (Hex-encoded).
+    pub tcbm: String,
+    /// FMSPC value associated with the certificate (Hex-encoded).
+    pub fmspc: String,
+}
+
+/// Response structure for multiple PCK (Platform Configuration Key) Certificates.
+///
+/// Contains a JSON array of PCK certificates, their issuer chain, and the associated FMSPC value.
+/// This struct represents the response for retrieving multiple PCK certificates from the Intel SGX API.
+#[derive(Debug, Clone)]
+pub struct PckCertificatesResponse {
+    /// JSON array containing PCK certificates and their associated TCB levels.
+    pub pck_certs_json: PckCertsJsonResponse, // String alias for now
+    /// PEM-encoded certificate chain for the PCK certificate issuer.
+    /// Header name differs between v3 ("PCS-Certificate-Issuer-Chain") and v4 ("SGX-PCK-Certificate-Issuer-Chain").
+    pub issuer_chain: String,
+    /// FMSPC value associated with the certificates (Hex-encoded).
+    pub fmspc: String,
+}
+
+/// Response structure for TCB (Trusted Computing Base) Information.
+///
+/// Contains the JSON representation of TCB information for a specific platform,
+/// along with the certificate chain of the TCB Info signer.
+#[derive(Debug, Clone)]
+pub struct TcbInfoResponse {
+    /// JSON containing TCB information for a specific platform (FMSPC).
+    pub tcb_info_json: TcbInfoJson, // String alias for now
+    /// PEM-encoded certificate chain for the TCB Info signer.
+    /// Header name differs slightly between v3 ("SGX-TCB-Info-Issuer-Chain") and v4 ("TCB-Info-Issuer-Chain" - check spec).
+    pub issuer_chain: String,
+}
+
+/// Response structure for Enclave Identity Information.
+///
+/// Contains the JSON representation of enclave identity details for QE, QvE, or QAE,
+/// along with its issuer chain.
+#[derive(Debug, Clone)]
+pub struct EnclaveIdentityResponse {
+    /// JSON containing information about the QE, QvE, or QAE.
+    pub enclave_identity_json: EnclaveIdentityJson, // String alias for now
+    /// PEM-encoded certificate chain for the Enclave Identity signer.
+    /// Header name seems consistent ("SGX-Enclave-Identity-Issuer-Chain").
+    pub issuer_chain: String,
+}
+
+/// Response structure for TCB Evaluation Data Numbers (V4 ONLY).
+///
+/// Contains the JSON representation of supported TCB Evaluation Data Numbers
+/// and its corresponding issuer chain.
+#[derive(Debug, Clone)]
+pub struct TcbEvaluationDataNumbersResponse {
+    /// JSON containing the list of supported TCB Evaluation Data Numbers (V4 ONLY).
+    pub tcb_evaluation_data_numbers_json: TcbEvaluationDataNumbersJson, // String alias for now
+    /// PEM-encoded certificate chain for the TCB Evaluation Data Numbers signer (V4 ONLY).
+    /// Header: "TCB-Evaluation-Data-Numbers-Issuer-Chain".
+    pub issuer_chain: String,
+}
+
+/// Response structure for Platform Configuration Key Certificate Revocation List (PCK CRL).
+///
+/// Contains the CRL data and its issuer chain for validating platform configuration keys.
+#[derive(Debug, Clone)]
+pub struct PckCrlResponse {
+    /// CRL data (PEM or DER encoded).
+    pub crl_data: Vec<u8>,
+    /// PEM-encoded certificate chain for the CRL issuer.
+    /// Header name differs between v3 ("PCS-CRL-Issuer-Chain") and v4 ("SGX-PCK-CRL-Issuer-Chain").
+    pub issuer_chain: String,
+}
+
+/// Response structure for the request to add a package.
+pub struct AddPackageResponse {
+    /// Platform Membership Certificates
+    pub pck_certs: Vec<u8>,
+    /// The certificate count extracted from the response header.
+    pub pck_cert_count: usize,
+}

crates/intel-dcap-api/src/types.rs

@@ -0,0 +1,122 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright (c) 2025 Matter Labs
+
+use std::fmt;
+
+/// Represents the type of Certificate Authority (CA) for Intel Trusted Services.
+///
+/// This enum defines the different types of Certificate Authorities used in the Intel DCAP API,
+/// specifically distinguishing between processor and platform CAs.
+#[derive(Debug, Clone, Copy, PartialEq, Eq)]
+pub enum CaType {
+    /// Represents a processor-specific Certificate Authority.
+    Processor,
+    /// Represents a platform-wide Certificate Authority.
+    Platform,
+}
+
+impl fmt::Display for CaType {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        match self {
+            CaType::Processor => write!(f, "processor"),
+            CaType::Platform => write!(f, "platform"),
+        }
+    }
+}
+
+/// Represents the encoding format for Certificate Revocation Lists (CRLs).
+///
+/// This enum defines the supported encoding formats for CRLs in the Intel DCAP API,
+/// distinguishing between PEM (Privacy Enhanced Mail) and DER (Distinguished Encoding Rules) formats.
+#[derive(Debug, Clone, Copy, PartialEq, Eq)]
+pub enum CrlEncoding {
+    /// Represents the PEM (Privacy Enhanced Mail) encoding format.
+    Pem,
+    /// Represents the DER (Distinguished Encoding Rules) encoding format.
+    Der,
+}
+
+impl fmt::Display for CrlEncoding {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        match self {
+            CrlEncoding::Pem => write!(f, "pem"),
+            CrlEncoding::Der => write!(f, "der"),
+        }
+    }
+}
+
+/// Represents the type of update for Intel Trusted Services.
+///
+/// This enum defines different update types, distinguishing between early and standard updates
+/// in the Intel DCAP (Data Center Attestation Primitives) API.
+#[derive(Debug, Clone, Copy, PartialEq, Eq)]
+pub enum UpdateType {
+    /// Represents early updates, typically used for preview or beta releases.
+    Early,
+    /// Represents standard updates, which are the regular release cycle.
+    Standard,
+}
+
+impl fmt::Display for UpdateType {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        match self {
+            UpdateType::Early => write!(f, "early"),
+            UpdateType::Standard => write!(f, "standard"),
+        }
+    }
+}
+
+/// Represents the platform filter options for Intel DCAP (Data Center Attestation Primitives) API.
+///
+/// This enum allows filtering platforms based on different criteria,
+/// such as selecting all platforms, client-specific platforms, or specific Intel processor generations.
+#[derive(Debug, Clone, Copy, PartialEq, Eq)]
+pub enum PlatformFilter {
+    /// Represents a selection of all available platforms.
+    All,
+    /// Represents a selection of client-specific platforms.
+    Client,
+    /// Represents platforms with Intel E3 processors.
+    E3,
+    /// Represents platforms with Intel E5 processors.
+    E5,
+}
+
+impl fmt::Display for PlatformFilter {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        match self {
+            PlatformFilter::All => write!(f, "all"),
+            PlatformFilter::Client => write!(f, "client"),
+            PlatformFilter::E3 => write!(f, "E3"),
+            PlatformFilter::E5 => write!(f, "E5"),
+        }
+    }
+}
+
+/// Represents the version of the Intel Trusted Services API to target.
+#[derive(Debug, Clone, Copy, PartialEq, Eq)]
+pub enum ApiVersion {
+    /// Represents version 3 of the Intel Trusted Services API.
+    V3,
+    /// Represents version 4 of the Intel Trusted Services API.
+    V4,
+}
+
+impl ApiVersion {
+    /// Returns the string representation of the version for URL paths.
+    pub fn path_segment(&self) -> &'static str {
+        match self {
+            ApiVersion::V3 => "v3",
+            ApiVersion::V4 => "v4",
+        }
+    }
+}
+
+impl fmt::Display for ApiVersion {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        match self {
+            ApiVersion::V3 => write!(f, "v3"),
+            ApiVersion::V4 => write!(f, "v4"),
+        }
+    }
+}