mirror of https://github.com/ctz/rustls
Use webpki 0.16 and webpki-roots 0.13.
This commit is contained in:
parent
54c02de0b6
commit
60bd99f67f
|
@ -15,7 +15,7 @@ time = "0.1.37"
|
|||
base64 = "0.6"
|
||||
log = { version = "0.3.6", optional = true }
|
||||
ring = { version = "0.11", features = ["rsa_signing"] }
|
||||
webpki = "0.14"
|
||||
webpki = "0.16"
|
||||
sct = "0.1.2"
|
||||
|
||||
[features]
|
||||
|
@ -30,7 +30,7 @@ mio = "0.6"
|
|||
docopt = "0.8"
|
||||
serde = "1.0"
|
||||
serde_derive = "1.0"
|
||||
webpki-roots = "0.11"
|
||||
webpki-roots = "0.13"
|
||||
ct-logs = "0.1"
|
||||
regex = "0.2"
|
||||
|
||||
|
|
|
@ -25,7 +25,7 @@ fn parse_args(args: &[String]) -> Result<(String, u16, ClientConfig), Box<Error>
|
|||
let mut config = ClientConfig::new();
|
||||
match args.len() {
|
||||
3 => {
|
||||
config.root_store.add_trust_anchors(&webpki_roots::ROOTS);
|
||||
config.root_store.add_server_trust_anchors(&webpki_roots::TLS_SERVER_ROOTS);
|
||||
}
|
||||
4 => {
|
||||
let f = File::open(&args[3])?;
|
||||
|
|
|
@ -8,7 +8,7 @@ extern crate webpki_roots;
|
|||
|
||||
fn main() {
|
||||
let mut config = rustls::ClientConfig::new();
|
||||
config.root_store.add_trust_anchors(&webpki_roots::ROOTS);
|
||||
config.root_store.add_server_trust_anchors(&webpki_roots::TLS_SERVER_ROOTS);
|
||||
|
||||
let mut sess = rustls::ClientSession::new(&Arc::new(config), "google.com");
|
||||
let mut sock = TcpStream::connect("google.com:443").unwrap();
|
||||
|
|
|
@ -438,7 +438,7 @@ fn make_config(args: &Args) -> Arc<rustls::ClientConfig> {
|
|||
.add_pem_file(&mut reader)
|
||||
.unwrap();
|
||||
} else {
|
||||
config.root_store.add_trust_anchors(&webpki_roots::ROOTS);
|
||||
config.root_store.add_server_trust_anchors(&webpki_roots::TLS_SERVER_ROOTS);
|
||||
config.ct_logs = Some(&ct_logs::LOGS);
|
||||
}
|
||||
|
||||
|
|
|
@ -87,7 +87,9 @@ impl RootCertStore {
|
|||
|
||||
/// Adds all the given TrustAnchors `anchors`. This does not
|
||||
/// fail.
|
||||
pub fn add_trust_anchors(&mut self, anchors: &[webpki::TrustAnchor]) {
|
||||
pub fn add_server_trust_anchors(&mut self,
|
||||
&webpki::TLSServerTrustAnchors(anchors):
|
||||
&webpki::TLSServerTrustAnchors) {
|
||||
for ta in anchors {
|
||||
self.roots.push(OwnedTrustAnchor::from_trust_anchor(ta));
|
||||
}
|
||||
|
|
|
@ -60,6 +60,9 @@ pub enum TLSError {
|
|||
|
||||
/// A catch-all error for unlikely errors.
|
||||
General(String),
|
||||
|
||||
/// We failed to figure out what time it currently is.
|
||||
FailedToGetCurrentTime,
|
||||
}
|
||||
|
||||
fn join<T: fmt::Debug>(items: &[T]) -> String {
|
||||
|
@ -117,7 +120,8 @@ impl Error for TLSError {
|
|||
TLSError::AlertReceived(_) => "received fatal alert",
|
||||
TLSError::WebPKIError(_) => "invalid certificate",
|
||||
TLSError::InvalidSCT(_) => "invalid certificate timestamp",
|
||||
TLSError::General(_) => "unexpected error", // (please file a bug)
|
||||
TLSError::General(_) => "unexpected error", // (please file a bug),
|
||||
TLSError::FailedToGetCurrentTime => "failed to get current time",
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -98,7 +98,7 @@
|
|||
//! the Mozilla set of root certificates.
|
||||
//!
|
||||
//! ```rust,ignore
|
||||
//! config.root_store.add_trust_anchors(&webpki_roots::ROOTS);
|
||||
//! config.root_store.add_server_trust_anchors(&webpki_roots::TLS_SERVER_ROOTS);
|
||||
//! ```
|
||||
//!
|
||||
//! Now we can make a session. You need to provide the server's hostname so we
|
||||
|
@ -194,7 +194,7 @@ extern crate webpki;
|
|||
// *ring* for cryptography.
|
||||
extern crate ring;
|
||||
|
||||
// time for feeding webpki the time.
|
||||
// TODO: Remove this dependency.
|
||||
extern crate time;
|
||||
|
||||
// untrusted for feeding ring and webpki.
|
||||
|
|
|
@ -2,6 +2,7 @@ use webpki;
|
|||
use time;
|
||||
use untrusted;
|
||||
use sct;
|
||||
use std;
|
||||
|
||||
use key::Certificate;
|
||||
use msgs::handshake::DigitallySignedStruct;
|
||||
|
@ -78,7 +79,7 @@ pub trait ClientCertVerifier : Send + Sync {
|
|||
}
|
||||
|
||||
pub struct WebPKIVerifier {
|
||||
pub time: fn() -> time::Timespec,
|
||||
pub time: fn() -> Result<webpki::Time, TLSError>,
|
||||
}
|
||||
|
||||
impl ServerCertVerifier for WebPKIVerifier {
|
||||
|
@ -111,7 +112,9 @@ impl ClientCertVerifier for WebPKIVerifier {
|
|||
impl WebPKIVerifier {
|
||||
pub fn new() -> WebPKIVerifier {
|
||||
WebPKIVerifier {
|
||||
time: time::get_time
|
||||
time: ||
|
||||
webpki::Time::try_from(std::time::SystemTime::now())
|
||||
.map_err(|_| TLSError::FailedToGetCurrentTime),
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -131,6 +134,8 @@ impl WebPKIVerifier {
|
|||
let cert = webpki::EndEntityCert::from(cert_der)
|
||||
.map_err(TLSError::WebPKIError)?;
|
||||
|
||||
let now = (self.time)()?;
|
||||
|
||||
let chain: Vec<untrusted::Input> = presented_certs.iter()
|
||||
.skip(1)
|
||||
.map(|cert| untrusted::Input::from(&cert.0))
|
||||
|
@ -140,8 +145,9 @@ impl WebPKIVerifier {
|
|||
.iter()
|
||||
.map(|x| x.to_trust_anchor())
|
||||
.collect();
|
||||
let trustroots = webpki::TLSServerTrustAnchors(&trustroots);
|
||||
|
||||
cert.verify_is_valid_tls_server_cert(SUPPORTED_SIG_ALGS, &trustroots, &chain, (self.time)())
|
||||
cert.verify_is_valid_tls_server_cert(SUPPORTED_SIG_ALGS, &trustroots, &chain, now)
|
||||
.map_err(TLSError::WebPKIError)
|
||||
.map(|_| cert)
|
||||
}
|
||||
|
|
|
@ -7,10 +7,11 @@
|
|||
use std::time::{Duration, Instant};
|
||||
|
||||
use anchors;
|
||||
use error::TLSError;
|
||||
use verify;
|
||||
use verify::ServerCertVerifier;
|
||||
use key;
|
||||
use time;
|
||||
use webpki;
|
||||
|
||||
extern crate webpki_roots;
|
||||
|
||||
|
@ -36,11 +37,8 @@ fn bench<Fsetup, Ftest, S>(count: usize, name: &'static str, f_setup: Fsetup, f_
|
|||
times.iter().min().unwrap() / 1000);
|
||||
}
|
||||
|
||||
fn fixed_time() -> time::Timespec {
|
||||
time::Timespec {
|
||||
sec: 1500000000,
|
||||
nsec: 0,
|
||||
}
|
||||
fn fixed_time() -> Result<webpki::Time, TLSError> {
|
||||
Ok(webpki::Time::from_seconds_since_unix_epoch(1500000000))
|
||||
}
|
||||
|
||||
static V: &'static verify::WebPKIVerifier = &verify::WebPKIVerifier {
|
||||
|
@ -53,7 +51,7 @@ fn test_reddit_cert() {
|
|||
let cert1 = key::Certificate(include_bytes!("testdata/cert-reddit.1.der").to_vec());
|
||||
let chain = [ cert0, cert1 ];
|
||||
let mut anchors = anchors::RootCertStore::empty();
|
||||
anchors.add_trust_anchors(&webpki_roots::ROOTS);
|
||||
anchors.add_server_trust_anchors(&webpki_roots::TLS_SERVER_ROOTS);
|
||||
bench(100, "verify_server_cert(reddit)",
|
||||
|| (),
|
||||
|_| { V.verify_server_cert(&anchors, &chain[..], "reddit.com", &[]).unwrap(); });
|
||||
|
@ -65,7 +63,7 @@ fn test_github_cert() {
|
|||
let cert1 = key::Certificate(include_bytes!("testdata/cert-github.1.der").to_vec());
|
||||
let chain = [ cert0, cert1 ];
|
||||
let mut anchors = anchors::RootCertStore::empty();
|
||||
anchors.add_trust_anchors(&webpki_roots::ROOTS);
|
||||
anchors.add_server_trust_anchors(&webpki_roots::TLS_SERVER_ROOTS);
|
||||
bench(100, "verify_server_cert(github)",
|
||||
|| (),
|
||||
|_| { V.verify_server_cert(&anchors, &chain[..], "github.com", &[]).unwrap(); });
|
||||
|
@ -78,7 +76,7 @@ fn test_arstechnica_cert() {
|
|||
let cert2 = key::Certificate(include_bytes!("testdata/cert-arstechnica.2.der").to_vec());
|
||||
let chain = [ cert0, cert1, cert2 ];
|
||||
let mut anchors = anchors::RootCertStore::empty();
|
||||
anchors.add_trust_anchors(&webpki_roots::ROOTS);
|
||||
anchors.add_server_trust_anchors(&webpki_roots::TLS_SERVER_ROOTS);
|
||||
bench(100, "verify_server_cert(arstechnica)",
|
||||
|| (),
|
||||
|_| { V.verify_server_cert(&anchors, &chain[..], "arstechnica.com", &[]).unwrap(); });
|
||||
|
@ -91,7 +89,7 @@ fn test_servo_cert() {
|
|||
let cert2 = key::Certificate(include_bytes!("testdata/cert-servo.2.der").to_vec());
|
||||
let chain = [ cert0, cert1, cert2 ];
|
||||
let mut anchors = anchors::RootCertStore::empty();
|
||||
anchors.add_trust_anchors(&webpki_roots::ROOTS);
|
||||
anchors.add_server_trust_anchors(&webpki_roots::TLS_SERVER_ROOTS);
|
||||
bench(100, "verify_server_cert(servo)",
|
||||
|| (),
|
||||
|_| { V.verify_server_cert(&anchors, &chain[..], "servo.org", &[]).unwrap(); });
|
||||
|
@ -103,7 +101,7 @@ fn test_twitter_cert() {
|
|||
let cert1 = key::Certificate(include_bytes!("testdata/cert-twitter.1.der").to_vec());
|
||||
let chain = [ cert0, cert1 ];
|
||||
let mut anchors = anchors::RootCertStore::empty();
|
||||
anchors.add_trust_anchors(&webpki_roots::ROOTS);
|
||||
anchors.add_server_trust_anchors(&webpki_roots::TLS_SERVER_ROOTS);
|
||||
bench(100, "verify_server_cert(twitter)",
|
||||
|| (),
|
||||
|_| { V.verify_server_cert(&anchors, &chain[..], "twitter.com", &[]).unwrap(); });
|
||||
|
@ -115,7 +113,7 @@ fn test_wikipedia_cert() {
|
|||
let cert1 = key::Certificate(include_bytes!("testdata/cert-wikipedia.1.der").to_vec());
|
||||
let chain = [ cert0, cert1 ];
|
||||
let mut anchors = anchors::RootCertStore::empty();
|
||||
anchors.add_trust_anchors(&webpki_roots::ROOTS);
|
||||
anchors.add_server_trust_anchors(&webpki_roots::TLS_SERVER_ROOTS);
|
||||
bench(100, "verify_server_cert(wikipedia)",
|
||||
|| (),
|
||||
|_| { V.verify_server_cert(&anchors, &chain[..], "wikipedia.org", &[]).unwrap(); });
|
||||
|
@ -128,7 +126,7 @@ fn test_google_cert() {
|
|||
let cert2 = key::Certificate(include_bytes!("testdata/cert-google.2.der").to_vec());
|
||||
let chain = [ cert0, cert1, cert2 ];
|
||||
let mut anchors = anchors::RootCertStore::empty();
|
||||
anchors.add_trust_anchors(&webpki_roots::ROOTS);
|
||||
anchors.add_server_trust_anchors(&webpki_roots::TLS_SERVER_ROOTS);
|
||||
bench(100, "verify_server_cert(google)",
|
||||
|| (),
|
||||
|_| { V.verify_server_cert(&anchors, &chain[..], "www.google.com", &[]).unwrap(); });
|
||||
|
@ -141,7 +139,7 @@ fn test_hn_cert() {
|
|||
let cert2 = key::Certificate(include_bytes!("testdata/cert-hn.2.der").to_vec());
|
||||
let chain = [ cert0, cert1, cert2 ];
|
||||
let mut anchors = anchors::RootCertStore::empty();
|
||||
anchors.add_trust_anchors(&webpki_roots::ROOTS);
|
||||
anchors.add_server_trust_anchors(&webpki_roots::TLS_SERVER_ROOTS);
|
||||
bench(100, "verify_server_cert(hn)",
|
||||
|| (),
|
||||
|_| { V.verify_server_cert(&anchors, &chain[..], "news.ycombinator.com", &[]).unwrap(); });
|
||||
|
@ -153,7 +151,7 @@ fn test_stackoverflow_cert() {
|
|||
let cert1 = key::Certificate(include_bytes!("testdata/cert-stackoverflow.1.der").to_vec());
|
||||
let chain = [ cert0, cert1 ];
|
||||
let mut anchors = anchors::RootCertStore::empty();
|
||||
anchors.add_trust_anchors(&webpki_roots::ROOTS);
|
||||
anchors.add_server_trust_anchors(&webpki_roots::TLS_SERVER_ROOTS);
|
||||
bench(100, "verify_server_cert(stackoverflow)",
|
||||
|| (),
|
||||
|_| { V.verify_server_cert(&anchors, &chain[..], "stackoverflow.com", &[]).unwrap(); });
|
||||
|
@ -165,7 +163,7 @@ fn test_duckduckgo_cert() {
|
|||
let cert1 = key::Certificate(include_bytes!("testdata/cert-duckduckgo.1.der").to_vec());
|
||||
let chain = [ cert0, cert1 ];
|
||||
let mut anchors = anchors::RootCertStore::empty();
|
||||
anchors.add_trust_anchors(&webpki_roots::ROOTS);
|
||||
anchors.add_server_trust_anchors(&webpki_roots::TLS_SERVER_ROOTS);
|
||||
bench(100, "verify_server_cert(duckduckgo)",
|
||||
|| (),
|
||||
|_| { V.verify_server_cert(&anchors, &chain[..], "duckduckgo.com", &[]).unwrap(); });
|
||||
|
@ -178,7 +176,7 @@ fn test_rustlang_cert() {
|
|||
let cert2 = key::Certificate(include_bytes!("testdata/cert-rustlang.2.der").to_vec());
|
||||
let chain = [ cert0, cert1, cert2 ];
|
||||
let mut anchors = anchors::RootCertStore::empty();
|
||||
anchors.add_trust_anchors(&webpki_roots::ROOTS);
|
||||
anchors.add_server_trust_anchors(&webpki_roots::TLS_SERVER_ROOTS);
|
||||
bench(100, "verify_server_cert(rustlang)",
|
||||
|| (),
|
||||
|_| { V.verify_server_cert(&anchors, &chain[..], "www.rust-lang.org", &[]).unwrap(); });
|
||||
|
@ -191,7 +189,7 @@ fn test_wapo_cert() {
|
|||
let cert2 = key::Certificate(include_bytes!("testdata/cert-wapo.2.der").to_vec());
|
||||
let chain = [ cert0, cert1, cert2 ];
|
||||
let mut anchors = anchors::RootCertStore::empty();
|
||||
anchors.add_trust_anchors(&webpki_roots::ROOTS);
|
||||
anchors.add_server_trust_anchors(&webpki_roots::TLS_SERVER_ROOTS);
|
||||
bench(100, "verify_server_cert(wapo)",
|
||||
|| (),
|
||||
|_| { V.verify_server_cert(&anchors, &chain[..], "www.washingtonpost.com", &[]).unwrap(); });
|
||||
|
|
Loading…
Reference in New Issue