OwnedTrustAnchor: subject is a DistinguishedName

Store the subject field as the DistinguishedName type, and also return &DistinguishedName from subject().
2023-03-27 12:36:53 -07:00 · 2023-03-27 12:36:53 -07:00 · 2df280cae2
parent a8d763efd5
commit 2df280cae2
5 changed files with 15 additions and 19 deletions
--- a/rustls/src/anchors.rs
+++ b/rustls/src/anchors.rs
@ -1,12 +1,12 @@
-use crate::key;
 #[cfg(feature = "logging")]
 use crate::log::{debug, trace};
+use crate::{key, DistinguishedName};
 use crate::{CertificateError, Error};

 /// A trust anchor, commonly known as a "Root Certificate."
 #[derive(Debug, Clone)]
 pub struct OwnedTrustAnchor {
-    subject: Vec<u8>,
+    subject: DistinguishedName,
    spki: Vec<u8>,
    name_constraints: Option<Vec<u8>>,
 }
@ -15,7 +15,7 @@ impl OwnedTrustAnchor {
    /// Get a `webpki::TrustAnchor` by borrowing the owned elements.
    pub(crate) fn to_trust_anchor(&self) -> webpki::TrustAnchor {
        webpki::TrustAnchor {
-            subject: &self.subject,
+            subject: self.subject.as_ref(),
            spki: &self.spki,
            name_constraints: self.name_constraints.as_deref(),
        }
@ -41,7 +41,7 @@ impl OwnedTrustAnchor {
        name_constraints: Option<impl Into<Vec<u8>>>,
    ) -> Self {
        Self {
-            subject: subject.into(),
+            subject: DistinguishedName::from(subject.into()),
            spki: spki.into(),
            name_constraints: name_constraints.map(|x| x.into()),
        }
@ -55,7 +55,7 @@ impl OwnedTrustAnchor {
    /// use x509_parser::prelude::FromDer;
    /// println!("{}", x509_parser::x509::X509Name::from_der(anchor.subject())?.1);
    /// ```
-    pub fn subject(&self) -> &[u8] {
+    pub fn subject(&self) -> &DistinguishedName {
        &self.subject
    }
 }
--- a/rustls/src/server/tls12.rs
+++ b/rustls/src/server/tls12.rs
@ -40,8 +40,8 @@ mod client_hello {
    use crate::msgs::handshake::{ClientExtension, SessionID};
    use crate::msgs::handshake::{ClientHelloPayload, ServerHelloPayload};
    use crate::msgs::handshake::{ServerExtension, ServerKeyExchangePayload};
+    use crate::sign;
    use crate::verify::DigitallySignedStruct;
-    use crate::{sign, DistinguishedName};

    use super::*;

@ -450,9 +450,7 @@ mod client_hello {
        let names = config
            .verifier
            .client_auth_root_subjects()
-            .iter()
-            .map(|n| DistinguishedName::from(n.clone()))
-            .collect::<Vec<_>>();
+            .to_vec();

        let cr = CertificateRequestPayload {
            certtypes: vec![
--- a/rustls/src/server/tls13.rs
+++ b/rustls/src/server/tls13.rs
@ -41,6 +41,7 @@ pub(super) use client_hello::CompleteClientHelloHandling;

 mod client_hello {
    use crate::enums::SignatureScheme;
+    use crate::kx;
    use crate::msgs::base::{Payload, PayloadU8};
    use crate::msgs::ccs::ChangeCipherSpecPayload;
    use crate::msgs::enums::NamedGroup;
@ -65,7 +66,6 @@ mod client_hello {
        KeyScheduleEarly, KeyScheduleHandshake, KeySchedulePreHandshake,
    };
    use crate::verify::DigitallySignedStruct;
-    use crate::{kx, DistinguishedName};

    use super::*;

@ -699,9 +699,7 @@ mod client_hello {
        let names = config
            .verifier
            .client_auth_root_subjects()
-            .iter()
-            .map(|n| DistinguishedName::from(n.clone()))
-            .collect::<Vec<_>>();
+            .to_vec();

        if !names.is_empty() {
            cr.extensions
--- a/rustls/src/verify.rs
+++ b/rustls/src/verify.rs
@ -551,7 +551,7 @@ impl AllowAnyAuthenticatedClient {
            subjects: roots
                .roots
                .iter()
-                .map(|r| DistinguishedName::from(r.subject().to_vec()))
+                .map(|r| r.subject().clone())
                .collect::<Vec<_>>(),
            roots,
        }
@ -615,7 +615,7 @@ impl AllowAnyAnonymousOrAuthenticatedClient {
                subjects: roots
                    .roots
                    .iter()
-                    .map(|r| DistinguishedName::from(r.subject().to_vec()))
+                    .map(|r| r.subject().clone())
                    .collect::<Vec<_>>(),
                roots,
            },
--- a/rustls/tests/client_cert_verifier.rs
+++ b/rustls/tests/client_cert_verifier.rs
@ -53,7 +53,7 @@ fn client_verifier_works() {
            subjects: get_client_root_store(*kt)
                .roots
                .iter()
-                .map(|r| DistinguishedName::from(r.subject().to_vec()))
+                .map(|r| r.subject().clone())
                .collect(),
            mandatory: true,
            offered_schemes: None,
@ -81,7 +81,7 @@ fn client_verifier_no_schemes() {
            subjects: get_client_root_store(*kt)
                .roots
                .iter()
-                .map(|r| DistinguishedName::from(r.subject().to_vec()))
+                .map(|r| r.subject().clone())
                .collect(),
            mandatory: true,
            offered_schemes: Some(vec![]),
@ -114,7 +114,7 @@ fn client_verifier_no_auth_yes_root() {
            subjects: get_client_root_store(*kt)
                .roots
                .iter()
-                .map(|r| DistinguishedName::from(r.subject().to_vec()))
+                .map(|r| r.subject().clone())
                .collect(),
            mandatory: true,
            offered_schemes: None,
@ -151,7 +151,7 @@ fn client_verifier_fails_properly() {
            subjects: get_client_root_store(*kt)
                .roots
                .iter()
-                .map(|r| DistinguishedName::from(r.subject().to_vec()))
+                .map(|r| r.subject().clone())
                .collect(),
            mandatory: true,
            offered_schemes: None,