Use webpki 0.16 and webpki-roots 0.13.

Cargo.toml

@@ -15,7 +15,7 @@ time = "0.1.37"
 base64 = "0.6"
 log = { version = "0.3.6", optional = true }
 ring = { version = "0.11", features = ["rsa_signing"] }
-webpki = "0.14"
+webpki = "0.16"
 sct = "0.1.2"
 
 [features]
@@ -30,7 +30,7 @@ mio = "0.6"
 docopt = "0.8"
 serde = "1.0"
 serde_derive = "1.0"
-webpki-roots = "0.11"
+webpki-roots = "0.13"
 ct-logs = "0.1"
 regex = "0.2"
 

examples/internal/trytls_shim.rs

@@ -25,7 +25,7 @@ fn parse_args(args: &[String]) -> Result<(String, u16, ClientConfig), Box<Error>
     let mut config = ClientConfig::new();
     match args.len() {
         3 => {
-            config.root_store.add_trust_anchors(&webpki_roots::ROOTS);
+            config.root_store.add_server_trust_anchors(&webpki_roots::TLS_SERVER_ROOTS);
         }
         4 => {
             let f = File::open(&args[3])?;

examples/simpleclient.rs

@@ -8,7 +8,7 @@ extern crate webpki_roots;
 
 fn main() {
     let mut config = rustls::ClientConfig::new();
-    config.root_store.add_trust_anchors(&webpki_roots::ROOTS);
+    config.root_store.add_server_trust_anchors(&webpki_roots::TLS_SERVER_ROOTS);
 
     let mut sess = rustls::ClientSession::new(&Arc::new(config), "google.com");
     let mut sock = TcpStream::connect("google.com:443").unwrap();

examples/tlsclient.rs

@@ -438,7 +438,7 @@ fn make_config(args: &Args) -> Arc<rustls::ClientConfig> {
             .add_pem_file(&mut reader)
             .unwrap();
     } else {
-        config.root_store.add_trust_anchors(&webpki_roots::ROOTS);
+        config.root_store.add_server_trust_anchors(&webpki_roots::TLS_SERVER_ROOTS);
         config.ct_logs = Some(&ct_logs::LOGS);
     }
 

src/anchors.rs

@@ -87,7 +87,9 @@ impl RootCertStore {
 
     /// Adds all the given TrustAnchors `anchors`.  This does not
     /// fail.
-    pub fn add_trust_anchors(&mut self, anchors: &[webpki::TrustAnchor]) {
+    pub fn add_server_trust_anchors(&mut self,
+                                    &webpki::TLSServerTrustAnchors(anchors):
+                                        &webpki::TLSServerTrustAnchors) {
         for ta in anchors {
             self.roots.push(OwnedTrustAnchor::from_trust_anchor(ta));
         }

src/error.rs

@@ -60,6 +60,9 @@ pub enum TLSError {
 
     /// A catch-all error for unlikely errors.
     General(String),
+
+    /// We failed to figure out what time it currently is.
+    FailedToGetCurrentTime,
 }
 
 fn join<T: fmt::Debug>(items: &[T]) -> String {
@@ -117,7 +120,8 @@ impl Error for TLSError {
             TLSError::AlertReceived(_) => "received fatal alert",
             TLSError::WebPKIError(_) => "invalid certificate",
             TLSError::InvalidSCT(_) => "invalid certificate timestamp",
-            TLSError::General(_) => "unexpected error", // (please file a bug)
+            TLSError::General(_) => "unexpected error", // (please file a bug),
+            TLSError::FailedToGetCurrentTime => "failed to get current time",
         }
     }
 }

src/lib.rs

@@ -98,7 +98,7 @@
 //! the Mozilla set of root certificates.
 //!
 //! ```rust,ignore
-//! config.root_store.add_trust_anchors(&webpki_roots::ROOTS);
+//! config.root_store.add_server_trust_anchors(&webpki_roots::TLS_SERVER_ROOTS);
 //! ```
 //!
 //! Now we can make a session.  You need to provide the server's hostname so we
@@ -194,7 +194,7 @@ extern crate webpki;
 // *ring* for cryptography.
 extern crate ring;
 
-// time for feeding webpki the time.
+// TODO: Remove this dependency.
 extern crate time;
 
 // untrusted for feeding ring and webpki.

src/verify.rs

@@ -2,6 +2,7 @@ use webpki;
 use time;
 use untrusted;
 use sct;
+use std;
 
 use key::Certificate;
 use msgs::handshake::DigitallySignedStruct;
@@ -78,7 +79,7 @@ pub trait ClientCertVerifier : Send + Sync {
 }
 
 pub struct WebPKIVerifier {
-    pub time: fn() -> time::Timespec,
+    pub time: fn() -> Result<webpki::Time, TLSError>,
 }
 
 impl ServerCertVerifier for WebPKIVerifier {
@@ -111,7 +112,9 @@ impl ClientCertVerifier for WebPKIVerifier {
 impl WebPKIVerifier {
     pub fn new() -> WebPKIVerifier {
         WebPKIVerifier {
-            time: time::get_time
+            time: ||
+                webpki::Time::try_from(std::time::SystemTime::now())
+                    .map_err(|_| TLSError::FailedToGetCurrentTime),
         }
     }
 
@@ -131,6 +134,8 @@ impl WebPKIVerifier {
         let cert = webpki::EndEntityCert::from(cert_der)
             .map_err(TLSError::WebPKIError)?;
 
+        let now = (self.time)()?;
+
         let chain: Vec<untrusted::Input> = presented_certs.iter()
             .skip(1)
             .map(|cert| untrusted::Input::from(&cert.0))
@@ -140,8 +145,9 @@ impl WebPKIVerifier {
             .iter()
             .map(|x| x.to_trust_anchor())
             .collect();
+        let trustroots = webpki::TLSServerTrustAnchors(&trustroots);
 
-        cert.verify_is_valid_tls_server_cert(SUPPORTED_SIG_ALGS, &trustroots, &chain, (self.time)())
+        cert.verify_is_valid_tls_server_cert(SUPPORTED_SIG_ALGS, &trustroots, &chain, now)
             .map_err(TLSError::WebPKIError)
             .map(|_| cert)
     }

src/verifybench.rs

@@ -7,10 +7,11 @@
 use std::time::{Duration, Instant};
 
 use anchors;
+use error::TLSError;
 use verify;
 use verify::ServerCertVerifier;
 use key;
-use time;
+use webpki;
 
 extern crate webpki_roots;
 
@@ -36,11 +37,8 @@ fn bench<Fsetup, Ftest, S>(count: usize, name: &'static str, f_setup: Fsetup, f_
              times.iter().min().unwrap() / 1000);
 }
 
-fn fixed_time() -> time::Timespec {
-    time::Timespec {
-        sec: 1500000000,
-        nsec: 0,
-    }
+fn fixed_time() -> Result<webpki::Time, TLSError> {
+    Ok(webpki::Time::from_seconds_since_unix_epoch(1500000000))
 }
 
 static V: &'static verify::WebPKIVerifier = &verify::WebPKIVerifier {
@@ -53,7 +51,7 @@ fn test_reddit_cert() {
     let cert1 = key::Certificate(include_bytes!("testdata/cert-reddit.1.der").to_vec());
     let chain = [ cert0, cert1 ];
     let mut anchors = anchors::RootCertStore::empty();
-    anchors.add_trust_anchors(&webpki_roots::ROOTS);
+    anchors.add_server_trust_anchors(&webpki_roots::TLS_SERVER_ROOTS);
     bench(100, "verify_server_cert(reddit)", 
           || (),
           |_| { V.verify_server_cert(&anchors, &chain[..], "reddit.com", &[]).unwrap(); });
@@ -65,7 +63,7 @@ fn test_github_cert() {
     let cert1 = key::Certificate(include_bytes!("testdata/cert-github.1.der").to_vec());
     let chain = [ cert0, cert1 ];
     let mut anchors = anchors::RootCertStore::empty();
-    anchors.add_trust_anchors(&webpki_roots::ROOTS);
+    anchors.add_server_trust_anchors(&webpki_roots::TLS_SERVER_ROOTS);
     bench(100, "verify_server_cert(github)", 
           || (),
           |_| { V.verify_server_cert(&anchors, &chain[..], "github.com", &[]).unwrap(); });
@@ -78,7 +76,7 @@ fn test_arstechnica_cert() {
     let cert2 = key::Certificate(include_bytes!("testdata/cert-arstechnica.2.der").to_vec());
     let chain = [ cert0, cert1, cert2 ];
     let mut anchors = anchors::RootCertStore::empty();
-    anchors.add_trust_anchors(&webpki_roots::ROOTS);
+    anchors.add_server_trust_anchors(&webpki_roots::TLS_SERVER_ROOTS);
     bench(100, "verify_server_cert(arstechnica)", 
           || (),
           |_| { V.verify_server_cert(&anchors, &chain[..], "arstechnica.com", &[]).unwrap(); });
@@ -91,7 +89,7 @@ fn test_servo_cert() {
     let cert2 = key::Certificate(include_bytes!("testdata/cert-servo.2.der").to_vec());
     let chain = [ cert0, cert1, cert2 ];
     let mut anchors = anchors::RootCertStore::empty();
-    anchors.add_trust_anchors(&webpki_roots::ROOTS);
+    anchors.add_server_trust_anchors(&webpki_roots::TLS_SERVER_ROOTS);
     bench(100, "verify_server_cert(servo)", 
           || (),
           |_| { V.verify_server_cert(&anchors, &chain[..], "servo.org", &[]).unwrap(); });
@@ -103,7 +101,7 @@ fn test_twitter_cert() {
     let cert1 = key::Certificate(include_bytes!("testdata/cert-twitter.1.der").to_vec());
     let chain = [ cert0, cert1 ];
     let mut anchors = anchors::RootCertStore::empty();
-    anchors.add_trust_anchors(&webpki_roots::ROOTS);
+    anchors.add_server_trust_anchors(&webpki_roots::TLS_SERVER_ROOTS);
     bench(100, "verify_server_cert(twitter)", 
           || (),
           |_| { V.verify_server_cert(&anchors, &chain[..], "twitter.com", &[]).unwrap(); });
@@ -115,7 +113,7 @@ fn test_wikipedia_cert() {
     let cert1 = key::Certificate(include_bytes!("testdata/cert-wikipedia.1.der").to_vec());
     let chain = [ cert0, cert1 ];
     let mut anchors = anchors::RootCertStore::empty();
-    anchors.add_trust_anchors(&webpki_roots::ROOTS);
+    anchors.add_server_trust_anchors(&webpki_roots::TLS_SERVER_ROOTS);
     bench(100, "verify_server_cert(wikipedia)", 
           || (),
           |_| { V.verify_server_cert(&anchors, &chain[..], "wikipedia.org", &[]).unwrap(); });
@@ -128,7 +126,7 @@ fn test_google_cert() {
     let cert2 = key::Certificate(include_bytes!("testdata/cert-google.2.der").to_vec());
     let chain = [ cert0, cert1, cert2 ];
     let mut anchors = anchors::RootCertStore::empty();
-    anchors.add_trust_anchors(&webpki_roots::ROOTS);
+    anchors.add_server_trust_anchors(&webpki_roots::TLS_SERVER_ROOTS);
     bench(100, "verify_server_cert(google)", 
           || (),
           |_| { V.verify_server_cert(&anchors, &chain[..], "www.google.com", &[]).unwrap(); });
@@ -141,7 +139,7 @@ fn test_hn_cert() {
     let cert2 = key::Certificate(include_bytes!("testdata/cert-hn.2.der").to_vec());
     let chain = [ cert0, cert1, cert2 ];
     let mut anchors = anchors::RootCertStore::empty();
-    anchors.add_trust_anchors(&webpki_roots::ROOTS);
+    anchors.add_server_trust_anchors(&webpki_roots::TLS_SERVER_ROOTS);
     bench(100, "verify_server_cert(hn)", 
           || (),
           |_| { V.verify_server_cert(&anchors, &chain[..], "news.ycombinator.com", &[]).unwrap(); });
@@ -153,7 +151,7 @@ fn test_stackoverflow_cert() {
     let cert1 = key::Certificate(include_bytes!("testdata/cert-stackoverflow.1.der").to_vec());
     let chain = [ cert0, cert1 ];
     let mut anchors = anchors::RootCertStore::empty();
-    anchors.add_trust_anchors(&webpki_roots::ROOTS);
+    anchors.add_server_trust_anchors(&webpki_roots::TLS_SERVER_ROOTS);
     bench(100, "verify_server_cert(stackoverflow)", 
           || (),
           |_| { V.verify_server_cert(&anchors, &chain[..], "stackoverflow.com", &[]).unwrap(); });
@@ -165,7 +163,7 @@ fn test_duckduckgo_cert() {
     let cert1 = key::Certificate(include_bytes!("testdata/cert-duckduckgo.1.der").to_vec());
     let chain = [ cert0, cert1 ];
     let mut anchors = anchors::RootCertStore::empty();
-    anchors.add_trust_anchors(&webpki_roots::ROOTS);
+    anchors.add_server_trust_anchors(&webpki_roots::TLS_SERVER_ROOTS);
     bench(100, "verify_server_cert(duckduckgo)", 
           || (),
           |_| { V.verify_server_cert(&anchors, &chain[..], "duckduckgo.com", &[]).unwrap(); });
@@ -178,7 +176,7 @@ fn test_rustlang_cert() {
     let cert2 = key::Certificate(include_bytes!("testdata/cert-rustlang.2.der").to_vec());
     let chain = [ cert0, cert1, cert2 ];
     let mut anchors = anchors::RootCertStore::empty();
-    anchors.add_trust_anchors(&webpki_roots::ROOTS);
+    anchors.add_server_trust_anchors(&webpki_roots::TLS_SERVER_ROOTS);
     bench(100, "verify_server_cert(rustlang)", 
           || (),
           |_| { V.verify_server_cert(&anchors, &chain[..], "www.rust-lang.org", &[]).unwrap(); });
@@ -191,7 +189,7 @@ fn test_wapo_cert() {
     let cert2 = key::Certificate(include_bytes!("testdata/cert-wapo.2.der").to_vec());
     let chain = [ cert0, cert1, cert2 ];
     let mut anchors = anchors::RootCertStore::empty();
-    anchors.add_trust_anchors(&webpki_roots::ROOTS);
+    anchors.add_server_trust_anchors(&webpki_roots::TLS_SERVER_ROOTS);
     bench(100, "verify_server_cert(wapo)", 
           || (),
           |_| { V.verify_server_cert(&anchors, &chain[..], "www.washingtonpost.com", &[]).unwrap(); });