mirror of https://github.com/ctz/rustls
deps: rcgen 0.12 -> 0.13
This updates the project dev dependency on rcgen from 0.12 to 0.13, fixing breaking API changes as appropriate.
This commit is contained in:
parent
9444dcbc7b
commit
2b0e174be2
|
@ -349,6 +349,7 @@ dependencies = [
|
|||
"aws-lc-sys",
|
||||
"mirai-annotations",
|
||||
"paste",
|
||||
"untrusted 0.7.1",
|
||||
"zeroize",
|
||||
]
|
||||
|
||||
|
@ -2006,12 +2007,14 @@ dependencies = [
|
|||
|
||||
[[package]]
|
||||
name = "rcgen"
|
||||
version = "0.12.1"
|
||||
version = "0.13.1"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "48406db8ac1f3cbc7dcdb56ec355343817958a356ff430259bb07baf7607e1e1"
|
||||
checksum = "54077e1872c46788540de1ea3d7f4ccb1983d12f9aa909b234468676c1a36779"
|
||||
dependencies = [
|
||||
"aws-lc-rs",
|
||||
"pem",
|
||||
"ring",
|
||||
"rustls-pki-types",
|
||||
"time",
|
||||
"yasna",
|
||||
]
|
||||
|
@ -2085,7 +2088,7 @@ dependencies = [
|
|||
"getrandom",
|
||||
"libc",
|
||||
"spin 0.9.8",
|
||||
"untrusted",
|
||||
"untrusted 0.9.0",
|
||||
"windows-sys 0.52.0",
|
||||
]
|
||||
|
||||
|
@ -2324,7 +2327,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
|
|||
checksum = "8b6275d1ee7a1cd780b64aca7726599a1dbc893b1e64144529e55c3c2f745765"
|
||||
dependencies = [
|
||||
"ring",
|
||||
"untrusted",
|
||||
"untrusted 0.9.0",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
|
@ -2336,7 +2339,7 @@ dependencies = [
|
|||
"aws-lc-rs",
|
||||
"ring",
|
||||
"rustls-pki-types",
|
||||
"untrusted",
|
||||
"untrusted 0.9.0",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
|
@ -2364,7 +2367,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
|
|||
checksum = "da046153aa2352493d6cb7da4b6e5c0c057d8a1d0a9aa8560baffdd945acd414"
|
||||
dependencies = [
|
||||
"ring",
|
||||
"untrusted",
|
||||
"untrusted 0.9.0",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
|
@ -2745,6 +2748,12 @@ dependencies = [
|
|||
"subtle",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "untrusted"
|
||||
version = "0.7.1"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "a156c684c91ea7d62626509bce3cb4e1d9ed5c4d978f7b4352658f96a4c26b4a"
|
||||
|
||||
[[package]]
|
||||
name = "untrusted"
|
||||
version = "0.9.0"
|
||||
|
|
|
@ -13,7 +13,7 @@ env_logger = "0.10" # 0.11 requires 1.71 MSRV even as a dev-dep (due to manifest
|
|||
log = { version = "0.4.4" }
|
||||
mio = { version = "0.8", features = ["net", "os-poll"] }
|
||||
pki-types = { package = "rustls-pki-types", version = "1", features = ["std"] }
|
||||
rcgen = { version = "0.12", features = ["pem", "ring"], default-features = false }
|
||||
rcgen = { version = "0.13", features = ["pem", "aws_lc_rs"], default-features = false }
|
||||
rustls = { path = "../rustls", features = [ "logging" ]}
|
||||
rustls-pemfile = "2"
|
||||
serde = "1.0"
|
||||
|
|
|
@ -13,9 +13,8 @@ use std::time::Duration;
|
|||
use std::{fs, thread};
|
||||
|
||||
use docopt::Docopt;
|
||||
use rustls::pki_types::{
|
||||
CertificateDer, CertificateRevocationListDer, PrivateKeyDer, PrivatePkcs8KeyDer,
|
||||
};
|
||||
use rcgen::KeyPair;
|
||||
use rustls::pki_types::{CertificateRevocationListDer, PrivatePkcs8KeyDer};
|
||||
use rustls::server::{Acceptor, ClientHello, ServerConfig, WebPkiClientVerifier};
|
||||
use rustls::RootCertStore;
|
||||
use serde_derive::Deserialize;
|
||||
|
@ -58,19 +57,13 @@ fn main() {
|
|||
&args
|
||||
.flag_ca_path
|
||||
.unwrap_or("ca-cert.pem".to_string()),
|
||||
&test_pki
|
||||
.ca_cert
|
||||
.serialize_pem()
|
||||
.unwrap(),
|
||||
&test_pki.ca_cert.cert.pem(),
|
||||
);
|
||||
write_pem(
|
||||
&args
|
||||
.flag_client_cert_path
|
||||
.unwrap_or("client-cert.pem".to_string()),
|
||||
&test_pki
|
||||
.client_cert
|
||||
.serialize_pem_with_signer(&test_pki.ca_cert)
|
||||
.unwrap(),
|
||||
&test_pki.client_cert.cert.pem(),
|
||||
);
|
||||
write_pem(
|
||||
&args
|
||||
|
@ -78,7 +71,8 @@ fn main() {
|
|||
.unwrap_or("client-key.pem".to_string()),
|
||||
&test_pki
|
||||
.client_cert
|
||||
.serialize_private_key_pem(),
|
||||
.key_pair
|
||||
.serialize_pem(),
|
||||
);
|
||||
|
||||
// Write out an initial DER CRL that has no revoked certificates.
|
||||
|
@ -147,10 +141,9 @@ fn main() {
|
|||
/// A test PKI with a CA certificate, server certificate, and client certificate.
|
||||
struct TestPki {
|
||||
roots: Arc<RootCertStore>,
|
||||
ca_cert: rcgen::Certificate,
|
||||
client_cert: rcgen::Certificate,
|
||||
server_cert_der: CertificateDer<'static>,
|
||||
server_key_der: PrivateKeyDer<'static>,
|
||||
ca_cert: rcgen::CertifiedKey,
|
||||
client_cert: rcgen::CertifiedKey,
|
||||
server_cert: rcgen::CertifiedKey,
|
||||
}
|
||||
|
||||
impl TestPki {
|
||||
|
@ -158,7 +151,7 @@ impl TestPki {
|
|||
fn new() -> Self {
|
||||
// Create an issuer CA cert.
|
||||
let alg = &rcgen::PKCS_ECDSA_P256_SHA256;
|
||||
let mut ca_params = rcgen::CertificateParams::new(Vec::new());
|
||||
let mut ca_params = rcgen::CertificateParams::new(Vec::new()).unwrap();
|
||||
ca_params
|
||||
.distinguished_name
|
||||
.push(rcgen::DnType::OrganizationName, "Rustls Server Acceptor");
|
||||
|
@ -171,44 +164,51 @@ impl TestPki {
|
|||
rcgen::KeyUsagePurpose::DigitalSignature,
|
||||
rcgen::KeyUsagePurpose::CrlSign,
|
||||
];
|
||||
ca_params.alg = alg;
|
||||
let ca_cert = rcgen::Certificate::from_params(ca_params).unwrap();
|
||||
let ca_key = KeyPair::generate_for(alg).unwrap();
|
||||
let ca_cert = ca_params.self_signed(&ca_key).unwrap();
|
||||
|
||||
// Create a server end entity cert issued by the CA.
|
||||
let mut server_ee_params = rcgen::CertificateParams::new(vec!["localhost".to_string()]);
|
||||
let mut server_ee_params =
|
||||
rcgen::CertificateParams::new(vec!["localhost".to_string()]).unwrap();
|
||||
server_ee_params.is_ca = rcgen::IsCa::NoCa;
|
||||
server_ee_params.extended_key_usages = vec![rcgen::ExtendedKeyUsagePurpose::ServerAuth];
|
||||
server_ee_params.alg = alg;
|
||||
let server_cert = rcgen::Certificate::from_params(server_ee_params).unwrap();
|
||||
let server_cert_der = CertificateDer::from(
|
||||
server_cert
|
||||
.serialize_der_with_signer(&ca_cert)
|
||||
.unwrap(),
|
||||
);
|
||||
let server_key_der = PrivatePkcs8KeyDer::from(server_cert.serialize_private_key_der());
|
||||
let ee_key = KeyPair::generate_for(alg).unwrap();
|
||||
let server_cert = server_ee_params
|
||||
.signed_by(&ee_key, &ca_cert, &ca_key)
|
||||
.unwrap();
|
||||
|
||||
// Create a client end entity cert issued by the CA.
|
||||
let mut client_ee_params = rcgen::CertificateParams::new(Vec::new());
|
||||
let mut client_ee_params = rcgen::CertificateParams::new(Vec::new()).unwrap();
|
||||
client_ee_params
|
||||
.distinguished_name
|
||||
.push(rcgen::DnType::CommonName, "Example Client");
|
||||
client_ee_params.is_ca = rcgen::IsCa::NoCa;
|
||||
client_ee_params.extended_key_usages = vec![rcgen::ExtendedKeyUsagePurpose::ClientAuth];
|
||||
client_ee_params.alg = alg;
|
||||
client_ee_params.serial_number = Some(rcgen::SerialNumber::from(vec![0xC0, 0xFF, 0xEE]));
|
||||
let client_cert = rcgen::Certificate::from_params(client_ee_params).unwrap();
|
||||
let client_key = KeyPair::generate_for(alg).unwrap();
|
||||
let client_cert = client_ee_params
|
||||
.signed_by(&client_key, &ca_cert, &ca_key)
|
||||
.unwrap();
|
||||
|
||||
// Create a root cert store that includes the CA certificate.
|
||||
let mut roots = RootCertStore::empty();
|
||||
roots
|
||||
.add(CertificateDer::from(ca_cert.serialize_der().unwrap()))
|
||||
.add(ca_cert.der().clone())
|
||||
.unwrap();
|
||||
Self {
|
||||
roots: roots.into(),
|
||||
ca_cert,
|
||||
client_cert,
|
||||
server_cert_der,
|
||||
server_key_der: server_key_der.into(),
|
||||
ca_cert: rcgen::CertifiedKey {
|
||||
cert: ca_cert,
|
||||
key_pair: ca_key,
|
||||
},
|
||||
client_cert: rcgen::CertifiedKey {
|
||||
cert: client_cert,
|
||||
key_pair: client_key,
|
||||
},
|
||||
server_cert: rcgen::CertifiedKey {
|
||||
cert: server_cert,
|
||||
key_pair: ee_key,
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -238,11 +238,11 @@ impl TestPki {
|
|||
let mut server_config = ServerConfig::builder()
|
||||
.with_client_cert_verifier(verifier)
|
||||
.with_single_cert(
|
||||
vec![self.server_cert_der.clone()],
|
||||
vec![self.server_cert.cert.der().clone()],
|
||||
PrivatePkcs8KeyDer::from(
|
||||
self.server_key_der
|
||||
.secret_der()
|
||||
.to_owned(),
|
||||
self.server_cert
|
||||
.key_pair
|
||||
.serialize_der(),
|
||||
)
|
||||
.into(),
|
||||
)
|
||||
|
@ -256,7 +256,11 @@ impl TestPki {
|
|||
|
||||
/// Issue a certificate revocation list (CRL) for the revoked `serials` provided (may be empty).
|
||||
/// The CRL will be signed by the test PKI CA and returned in DER serialized form.
|
||||
fn crl(&self, serials: Vec<rcgen::SerialNumber>, next_update_seconds: u64) -> Vec<u8> {
|
||||
fn crl(
|
||||
&self,
|
||||
serials: Vec<rcgen::SerialNumber>,
|
||||
next_update_seconds: u64,
|
||||
) -> CertificateRevocationListDer {
|
||||
// In a real use-case you would want to set this to the current date/time.
|
||||
let now = rcgen::date_time_ymd(2023, 1, 1);
|
||||
|
||||
|
@ -272,19 +276,18 @@ impl TestPki {
|
|||
.collect();
|
||||
|
||||
// Create a new CRL signed by the CA cert.
|
||||
let crl = rcgen::CertificateRevocationListParams {
|
||||
let crl_params = rcgen::CertificateRevocationListParams {
|
||||
this_update: now,
|
||||
next_update: now.add(Duration::from_secs(next_update_seconds)),
|
||||
crl_number: rcgen::SerialNumber::from(1234),
|
||||
issuing_distribution_point: None,
|
||||
revoked_certs,
|
||||
key_identifier_method: rcgen::KeyIdMethod::Sha256,
|
||||
alg: &rcgen::PKCS_ECDSA_P256_SHA256,
|
||||
};
|
||||
rcgen::CertificateRevocationList::from_params(crl)
|
||||
.unwrap()
|
||||
.serialize_der_with_signer(&self.ca_cert)
|
||||
crl_params
|
||||
.signed_by(&self.ca_cert.cert, &self.ca_cert.key_pair)
|
||||
.unwrap()
|
||||
.into()
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -311,7 +314,8 @@ impl CrlUpdater {
|
|||
vec![self
|
||||
.pki
|
||||
.client_cert
|
||||
.get_params()
|
||||
.cert
|
||||
.params()
|
||||
.serial_number
|
||||
.clone()
|
||||
.unwrap()]
|
||||
|
|
|
@ -28,7 +28,7 @@ x25519-dalek = "2"
|
|||
[dev-dependencies]
|
||||
env_logger = "0.10" # 0.11 requires 1.71 MSRV even as a dev-dep (due to manifest features)
|
||||
hex = "0.4.3"
|
||||
rcgen = { version = "0.12", features = ["ring"] }
|
||||
rcgen = { version = "0.13", features = ["aws_lc_rs"] }
|
||||
serde = { version = "1", features = ["derive"] }
|
||||
serde_json = "1"
|
||||
webpki-roots = "0.26"
|
||||
|
|
|
@ -58,7 +58,7 @@ struct TestPki {
|
|||
impl TestPki {
|
||||
fn new() -> Self {
|
||||
let alg = &rcgen::PKCS_ECDSA_P256_SHA256;
|
||||
let mut ca_params = rcgen::CertificateParams::new(Vec::new());
|
||||
let mut ca_params = rcgen::CertificateParams::new(Vec::new()).unwrap();
|
||||
ca_params
|
||||
.distinguished_name
|
||||
.push(rcgen::DnType::OrganizationName, "Provider Server Example");
|
||||
|
@ -70,25 +70,22 @@ impl TestPki {
|
|||
rcgen::KeyUsagePurpose::KeyCertSign,
|
||||
rcgen::KeyUsagePurpose::DigitalSignature,
|
||||
];
|
||||
ca_params.alg = alg;
|
||||
let ca_cert = rcgen::Certificate::from_params(ca_params).unwrap();
|
||||
let ca_key = rcgen::KeyPair::generate_for(alg).unwrap();
|
||||
let ca_cert = ca_params.self_signed(&ca_key).unwrap();
|
||||
|
||||
// Create a server end entity cert issued by the CA.
|
||||
let mut server_ee_params = rcgen::CertificateParams::new(vec!["localhost".to_string()]);
|
||||
let mut server_ee_params =
|
||||
rcgen::CertificateParams::new(vec!["localhost".to_string()]).unwrap();
|
||||
server_ee_params.is_ca = rcgen::IsCa::NoCa;
|
||||
server_ee_params.extended_key_usages = vec![rcgen::ExtendedKeyUsagePurpose::ServerAuth];
|
||||
server_ee_params.alg = alg;
|
||||
let server_cert = rcgen::Certificate::from_params(server_ee_params).unwrap();
|
||||
let server_cert_der = CertificateDer::from(
|
||||
server_cert
|
||||
.serialize_der_with_signer(&ca_cert)
|
||||
.unwrap(),
|
||||
);
|
||||
let server_key_der =
|
||||
PrivatePkcs8KeyDer::from(server_cert.serialize_private_key_der()).into();
|
||||
let server_key = rcgen::KeyPair::generate_for(alg).unwrap();
|
||||
let server_cert = server_ee_params
|
||||
.signed_by(&server_key, &ca_cert, &ca_key)
|
||||
.unwrap();
|
||||
Self {
|
||||
server_cert_der,
|
||||
server_key_der,
|
||||
server_cert_der: server_cert.into(),
|
||||
// TODO(XXX): update below once https://github.com/rustls/rcgen/issues/260 is resolved.
|
||||
server_key_der: PrivatePkcs8KeyDer::from(server_key.serialize_der()).into(),
|
||||
}
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue