bogo_shim.rs: fully support aws-lc-rs provider

This was only partially ported, but built due to feature unification from other crates in the workspace. Unconditionally use a provider, and wrap certificate signature operations rather than using (ring-only) `default_verify_tls12_signature` et al.
2023-11-16 09:40:01 +00:00 · 2023-11-16 09:40:01 +00:00 · a3bf6ba24a
parent cd81f32592
commit a3bf6ba24a
1 changed files with 62 additions and 25 deletions
--- a/rustls/examples/internal/bogo_shim_impl.rs
+++ b/rustls/examples/internal/bogo_shim_impl.rs
@ -3,23 +3,25 @@
 //
 // https://boringssl.googlesource.com/boringssl/+/master/ssl/test
 //
-use rustls::client::danger::HandshakeSignatureValid;
+
+use rustls::client::danger::{HandshakeSignatureValid, ServerCertVerified, ServerCertVerifier};
 use rustls::client::{ClientConfig, ClientConnection, Resumption, WebPkiServerVerifier};
 use rustls::crypto::SupportedKxGroup;
 use rustls::internal::msgs::codec::Codec;
 use rustls::internal::msgs::persist::ServerSessionValue;
-use rustls::server::{ClientHello, ServerConfig, ServerConnection};
+use rustls::server::danger::{ClientCertVerified, ClientCertVerifier};
+use rustls::server::{ClientHello, ServerConfig, ServerConnection, WebPkiClientVerifier};
 use rustls::{
    self, client, server, sign, version, AlertDescription, CertificateError, Connection,
    DigitallySignedStruct, DistinguishedName, Error, InvalidMessage, NamedGroup, PeerIncompatible,
-    PeerMisbehaved, ProtocolVersion, ServerName, Side, SignatureAlgorithm, SignatureScheme,
-    SupportedProtocolVersion,
+    PeerMisbehaved, ProtocolVersion, RootCertStore, ServerName, Side, SignatureAlgorithm,
+    SignatureScheme, SupportedProtocolVersion,
 };

 #[cfg(all(not(feature = "ring"), feature = "aws_lc_rs"))]
-use rustls::crypto::aws_lc_rs as provider;
+use rustls::crypto::{aws_lc_rs as provider, aws_lc_rs::AWS_LC_RS as PROVIDER};
 #[cfg(feature = "ring")]
-use rustls::crypto::ring as provider;
+use rustls::crypto::{ring as provider, ring::RING as PROVIDER};

 use base64::prelude::{Engine, BASE64_STANDARD};
 use pki_types::{CertificateDer, PrivateKeyDer, UnixTime};
@ -177,6 +179,15 @@ fn load_key(filename: &str) -> PrivateKeyDer<'static> {
    keys.pop().unwrap().into()
 }

+fn load_root_certs() -> Arc<RootCertStore> {
+    let mut roots = RootCertStore::empty();
+
+    // this is not actually used by the tests, but must be non-empty
+    roots.add_parsable_certificates(load_cert("cert.pem"));
+
+    Arc::new(roots)
+}
+
 fn split_protocols(protos: &str) -> Vec<String> {
    let mut ret = Vec::new();

@ -194,9 +205,21 @@ fn split_protocols(protos: &str) -> Vec<String> {
 #[derive(Debug)]
 struct DummyClientAuth {
    mandatory: bool,
+    parent: Arc<dyn ClientCertVerifier>,
 }

-impl server::danger::ClientCertVerifier for DummyClientAuth {
+impl DummyClientAuth {
+    fn new(mandatory: bool) -> Self {
+        Self {
+            mandatory,
+            parent: WebPkiClientVerifier::builder_with_provider(load_root_certs(), PROVIDER)
+                .build()
+                .unwrap(),
+        }
+    }
+}
+
+impl ClientCertVerifier for DummyClientAuth {
    fn offer_client_auth(&self) -> bool {
        true
    }
@ -214,8 +237,8 @@ impl server::danger::ClientCertVerifier for DummyClientAuth {
        _end_entity: &CertificateDer<'_>,
        _intermediates: &[CertificateDer<'_>],
        _now: UnixTime,
-    ) -> Result<server::danger::ClientCertVerified, Error> {
-        Ok(server::danger::ClientCertVerified::assertion())
+    ) -> Result<ClientCertVerified, Error> {
+        Ok(ClientCertVerified::assertion())
    }

    fn verify_tls12_signature(
@ -224,7 +247,8 @@ impl server::danger::ClientCertVerifier for DummyClientAuth {
        cert: &CertificateDer<'_>,
        dss: &DigitallySignedStruct,
    ) -> Result<HandshakeSignatureValid, Error> {
-        WebPkiServerVerifier::default_verify_tls12_signature(message, cert, dss)
+        self.parent
+            .verify_tls12_signature(message, cert, dss)
    }

    fn verify_tls13_signature(
@ -233,18 +257,31 @@ impl server::danger::ClientCertVerifier for DummyClientAuth {
        cert: &CertificateDer<'_>,
        dss: &DigitallySignedStruct,
    ) -> Result<HandshakeSignatureValid, Error> {
-        WebPkiServerVerifier::default_verify_tls13_signature(message, cert, dss)
+        self.parent
+            .verify_tls13_signature(message, cert, dss)
    }

    fn supported_verify_schemes(&self) -> Vec<SignatureScheme> {
-        WebPkiServerVerifier::default_supported_verify_schemes()
+        self.parent.supported_verify_schemes()
    }
 }

 #[derive(Debug)]
-struct DummyServerAuth {}
+struct DummyServerAuth {
+    parent: Arc<dyn ServerCertVerifier>,
+}

-impl client::danger::ServerCertVerifier for DummyServerAuth {
+impl DummyServerAuth {
+    fn new() -> Self {
+        DummyServerAuth {
+            parent: WebPkiServerVerifier::builder_with_provider(load_root_certs(), PROVIDER)
+                .build()
+                .unwrap(),
+        }
+    }
+}
+
+impl ServerCertVerifier for DummyServerAuth {
    fn verify_server_cert(
        &self,
        _end_entity: &CertificateDer<'_>,
@ -252,8 +289,8 @@ impl client::danger::ServerCertVerifier for DummyServerAuth {
        _hostname: &ServerName,
        _ocsp: &[u8],
        _now: UnixTime,
-    ) -> Result<client::danger::ServerCertVerified, Error> {
-        Ok(client::danger::ServerCertVerified::assertion())
+    ) -> Result<ServerCertVerified, Error> {
+        Ok(ServerCertVerified::assertion())
    }

    fn verify_tls12_signature(
@ -262,7 +299,8 @@ impl client::danger::ServerCertVerifier for DummyServerAuth {
        cert: &CertificateDer<'_>,
        dss: &DigitallySignedStruct,
    ) -> Result<HandshakeSignatureValid, Error> {
-        WebPkiServerVerifier::default_verify_tls12_signature(message, cert, dss)
+        self.parent
+            .verify_tls12_signature(message, cert, dss)
    }

    fn verify_tls13_signature(
@ -271,11 +309,12 @@ impl client::danger::ServerCertVerifier for DummyServerAuth {
        cert: &CertificateDer<'_>,
        dss: &DigitallySignedStruct,
    ) -> Result<HandshakeSignatureValid, Error> {
-        WebPkiServerVerifier::default_verify_tls13_signature(message, cert, dss)
+        self.parent
+            .verify_tls13_signature(message, cert, dss)
    }

    fn supported_verify_schemes(&self) -> Vec<SignatureScheme> {
-        WebPkiServerVerifier::default_supported_verify_schemes()
+        self.parent.supported_verify_schemes()
    }
 }

@ -439,9 +478,7 @@ impl server::StoresServerSessions for ServerCacheWithResumptionDelay {
 fn make_server_cfg(opts: &Options) -> Arc<ServerConfig> {
    let client_auth =
        if opts.verify_peer || opts.offer_no_client_cas || opts.require_any_client_cert {
-            Arc::new(DummyClientAuth {
-                mandatory: opts.require_any_client_cert,
-            })
+            Arc::new(DummyClientAuth::new(opts.require_any_client_cert))
        } else {
            server::WebPkiClientVerifier::no_client_auth()
        };
@ -458,7 +495,7 @@ fn make_server_cfg(opts: &Options) -> Arc<ServerConfig> {
        provider::ALL_KX_GROUPS.to_vec()
    };

-    let mut cfg = ServerConfig::builder()
+    let mut cfg = ServerConfig::builder_with_provider(PROVIDER)
        .with_safe_default_cipher_suites()
        .with_kx_groups(&kx_groups)
        .with_protocol_versions(&opts.supported_versions())
@ -583,13 +620,13 @@ fn make_client_cfg(opts: &Options) -> Arc<ClientConfig> {
        provider::ALL_KX_GROUPS.to_vec()
    };

-    let cfg = ClientConfig::builder()
+    let cfg = ClientConfig::builder_with_provider(PROVIDER)
        .with_safe_default_cipher_suites()
        .with_kx_groups(&kx_groups)
        .with_protocol_versions(&opts.supported_versions())
        .expect("inconsistent settings")
        .dangerous()
-        .with_custom_certificate_verifier(Arc::new(DummyServerAuth {}));
+        .with_custom_certificate_verifier(Arc::new(DummyServerAuth::new()));

    let mut cfg = if !opts.cert_file.is_empty() && !opts.key_file.is_empty() {
        let cert = load_cert(&opts.cert_file);