From 2df280cae25f598782f92db33d071945e07992a2 Mon Sep 17 00:00:00 2001 From: Jacob Hoffman-Andrews Date: Mon, 27 Mar 2023 12:36:53 -0700 Subject: [PATCH] OwnedTrustAnchor: subject is a DistinguishedName Store the subject field as the DistinguishedName type, and also return &DistinguishedName from subject(). --- rustls/src/anchors.rs | 10 +++++----- rustls/src/server/tls12.rs | 6 ++---- rustls/src/server/tls13.rs | 6 ++---- rustls/src/verify.rs | 4 ++-- rustls/tests/client_cert_verifier.rs | 8 ++++---- 5 files changed, 15 insertions(+), 19 deletions(-) diff --git a/rustls/src/anchors.rs b/rustls/src/anchors.rs index 5e006171..98f61701 100644 --- a/rustls/src/anchors.rs +++ b/rustls/src/anchors.rs @@ -1,12 +1,12 @@ -use crate::key; #[cfg(feature = "logging")] use crate::log::{debug, trace}; +use crate::{key, DistinguishedName}; use crate::{CertificateError, Error}; /// A trust anchor, commonly known as a "Root Certificate." #[derive(Debug, Clone)] pub struct OwnedTrustAnchor { - subject: Vec, + subject: DistinguishedName, spki: Vec, name_constraints: Option>, } @@ -15,7 +15,7 @@ impl OwnedTrustAnchor { /// Get a `webpki::TrustAnchor` by borrowing the owned elements. pub(crate) fn to_trust_anchor(&self) -> webpki::TrustAnchor { webpki::TrustAnchor { - subject: &self.subject, + subject: self.subject.as_ref(), spki: &self.spki, name_constraints: self.name_constraints.as_deref(), } @@ -41,7 +41,7 @@ impl OwnedTrustAnchor { name_constraints: Option>>, ) -> Self { Self { - subject: subject.into(), + subject: DistinguishedName::from(subject.into()), spki: spki.into(), name_constraints: name_constraints.map(|x| x.into()), } @@ -55,7 +55,7 @@ impl OwnedTrustAnchor { /// use x509_parser::prelude::FromDer; /// println!("{}", x509_parser::x509::X509Name::from_der(anchor.subject())?.1); /// ``` - pub fn subject(&self) -> &[u8] { + pub fn subject(&self) -> &DistinguishedName { &self.subject } } diff --git a/rustls/src/server/tls12.rs b/rustls/src/server/tls12.rs index 806860f0..007a0a26 100644 --- a/rustls/src/server/tls12.rs +++ b/rustls/src/server/tls12.rs @@ -40,8 +40,8 @@ mod client_hello { use crate::msgs::handshake::{ClientExtension, SessionID}; use crate::msgs::handshake::{ClientHelloPayload, ServerHelloPayload}; use crate::msgs::handshake::{ServerExtension, ServerKeyExchangePayload}; + use crate::sign; use crate::verify::DigitallySignedStruct; - use crate::{sign, DistinguishedName}; use super::*; @@ -450,9 +450,7 @@ mod client_hello { let names = config .verifier .client_auth_root_subjects() - .iter() - .map(|n| DistinguishedName::from(n.clone())) - .collect::>(); + .to_vec(); let cr = CertificateRequestPayload { certtypes: vec![ diff --git a/rustls/src/server/tls13.rs b/rustls/src/server/tls13.rs index baa59bf3..11aee5df 100644 --- a/rustls/src/server/tls13.rs +++ b/rustls/src/server/tls13.rs @@ -41,6 +41,7 @@ pub(super) use client_hello::CompleteClientHelloHandling; mod client_hello { use crate::enums::SignatureScheme; + use crate::kx; use crate::msgs::base::{Payload, PayloadU8}; use crate::msgs::ccs::ChangeCipherSpecPayload; use crate::msgs::enums::NamedGroup; @@ -65,7 +66,6 @@ mod client_hello { KeyScheduleEarly, KeyScheduleHandshake, KeySchedulePreHandshake, }; use crate::verify::DigitallySignedStruct; - use crate::{kx, DistinguishedName}; use super::*; @@ -699,9 +699,7 @@ mod client_hello { let names = config .verifier .client_auth_root_subjects() - .iter() - .map(|n| DistinguishedName::from(n.clone())) - .collect::>(); + .to_vec(); if !names.is_empty() { cr.extensions diff --git a/rustls/src/verify.rs b/rustls/src/verify.rs index 336113c5..b00a27d5 100644 --- a/rustls/src/verify.rs +++ b/rustls/src/verify.rs @@ -551,7 +551,7 @@ impl AllowAnyAuthenticatedClient { subjects: roots .roots .iter() - .map(|r| DistinguishedName::from(r.subject().to_vec())) + .map(|r| r.subject().clone()) .collect::>(), roots, } @@ -615,7 +615,7 @@ impl AllowAnyAnonymousOrAuthenticatedClient { subjects: roots .roots .iter() - .map(|r| DistinguishedName::from(r.subject().to_vec())) + .map(|r| r.subject().clone()) .collect::>(), roots, }, diff --git a/rustls/tests/client_cert_verifier.rs b/rustls/tests/client_cert_verifier.rs index b687cfdf..d7f6de52 100644 --- a/rustls/tests/client_cert_verifier.rs +++ b/rustls/tests/client_cert_verifier.rs @@ -53,7 +53,7 @@ fn client_verifier_works() { subjects: get_client_root_store(*kt) .roots .iter() - .map(|r| DistinguishedName::from(r.subject().to_vec())) + .map(|r| r.subject().clone()) .collect(), mandatory: true, offered_schemes: None, @@ -81,7 +81,7 @@ fn client_verifier_no_schemes() { subjects: get_client_root_store(*kt) .roots .iter() - .map(|r| DistinguishedName::from(r.subject().to_vec())) + .map(|r| r.subject().clone()) .collect(), mandatory: true, offered_schemes: Some(vec![]), @@ -114,7 +114,7 @@ fn client_verifier_no_auth_yes_root() { subjects: get_client_root_store(*kt) .roots .iter() - .map(|r| DistinguishedName::from(r.subject().to_vec())) + .map(|r| r.subject().clone()) .collect(), mandatory: true, offered_schemes: None, @@ -151,7 +151,7 @@ fn client_verifier_fails_properly() { subjects: get_client_root_store(*kt) .roots .iter() - .map(|r| DistinguishedName::from(r.subject().to_vec())) + .map(|r| r.subject().clone()) .collect(), mandatory: true, offered_schemes: None,