2016-06-05 17:16:08 +00:00
|
|
|
// Copyright 2016 Joseph Birr-Pixton.
|
|
|
|
|
//
|
|
|
|
|
// Permission to use, copy, modify, and/or distribute this software for any
|
|
|
|
|
// purpose with or without fee is hereby granted, provided that the above
|
|
|
|
|
// copyright notice and this permission notice appear in all copies.
|
|
|
|
|
//
|
|
|
|
|
// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES
|
|
|
|
|
// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
|
|
|
|
// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR
|
|
|
|
|
// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
|
|
|
|
// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
|
|
|
|
// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
|
|
|
|
// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
|
|
|
|
|
2020-08-28 00:11:44 +00:00
|
|
|
use core::convert::TryFrom;
|
2016-06-05 17:16:08 +00:00
|
|
|
extern crate webpki;
|
|
|
|
|
|
2019-03-21 22:51:26 +00:00
|
|
|
static ALL_SIGALGS: &[&webpki::SignatureAlgorithm] = &[
|
2017-08-27 22:18:23 +00:00
|
|
|
&webpki::ECDSA_P256_SHA256,
|
|
|
|
|
&webpki::ECDSA_P256_SHA384,
|
|
|
|
|
&webpki::ECDSA_P384_SHA256,
|
|
|
|
|
&webpki::ECDSA_P384_SHA384,
|
2021-01-06 22:49:07 +00:00
|
|
|
&webpki::ED25519,
|
|
|
|
|
#[cfg(feature = "alloc")]
|
2017-08-27 22:18:23 +00:00
|
|
|
&webpki::RSA_PKCS1_2048_8192_SHA256,
|
2021-01-06 22:49:07 +00:00
|
|
|
#[cfg(feature = "alloc")]
|
2017-08-27 22:18:23 +00:00
|
|
|
&webpki::RSA_PKCS1_2048_8192_SHA384,
|
2021-01-06 22:49:07 +00:00
|
|
|
#[cfg(feature = "alloc")]
|
2017-08-27 22:18:23 +00:00
|
|
|
&webpki::RSA_PKCS1_2048_8192_SHA512,
|
2021-01-06 22:49:07 +00:00
|
|
|
#[cfg(feature = "alloc")]
|
2019-01-13 07:14:28 +00:00
|
|
|
&webpki::RSA_PKCS1_3072_8192_SHA384,
|
2016-06-05 17:16:08 +00:00
|
|
|
];
|
|
|
|
|
|
|
|
|
|
/* Checks we can verify netflix's cert chain. This is notable
|
|
|
|
|
* because they're rooted at a Verisign v1 root. */
|
2021-01-06 22:49:07 +00:00
|
|
|
#[cfg(feature = "alloc")]
|
2016-06-05 17:16:08 +00:00
|
|
|
#[test]
|
2019-03-29 01:22:01 +00:00
|
|
|
pub fn netflix() {
|
2020-08-28 00:11:44 +00:00
|
|
|
let ee: &[u8] = include_bytes!("netflix/ee.der");
|
2016-06-05 17:16:08 +00:00
|
|
|
let inter = include_bytes!("netflix/inter.der");
|
|
|
|
|
let ca = include_bytes!("netflix/ca.der");
|
|
|
|
|
|
2021-04-09 19:14:26 +00:00
|
|
|
let anchors = vec![webpki::TrustAnchor::try_from_cert_der(ca).unwrap()];
|
Revert main branch crate contents to the 0.22.0 release contents.
Reset the crate contents (sources, tests, etc.)
to what they were at that commit, while retaining the newer CI
configuration.
The changes since the 0.22.0 release were primarily intended to
accomplish two goals:
* Fix and improve the GitHub Actions configuration.
* Prepare a 0.21.5 release that was backward compatible with 0.21.4
but which also contained the improvements that were in 0.22.0.
0.21.5 was never released and will not be released. Therefore all
of the noise to facilitate the 0.21.5 release can just be deleted,
as long as we leave the CI changes that are necessary for GitHub
Actions to work correctly now.
The exact commands I used were:
```
git checkout \
6c334a2cf5853fb0aa93b5eb0318c031fc2f6f98 \
-- \
Cargo.toml \
LICENSE \
README.md \
src \
tests \
third-party
git rm src/trust_anchor_util.rs
```
Commit 6c334a2cf5853fb0aa93b5eb0318c031fc2f6f98 was the commit from
which 0.22.0 was released. It is confusing because the commit
immediately prior, 0b7cbf2d327d7665d9d06072bf46b2e7ca05f065, has
commit message "0.22.0". It appears that I merged the "0.22.0"
commit, expecting to `cargo publish` from that commit, but then
`cargo publish` failed. Then I added
6c334a2cf5853fb0aa93b5eb0318c031fc2f6f98 to fix `cargo publish`
and did the `cargo publish` from that commit. That's why I added
the `package` CI step at that time, to prevent this confusing
situation from happening again.
`trust_anchor_utils.rs` was not in 0.22.0; the `git checkout` didn't
delete it, so I had to do it separately.
I left the tests added subsequent to 0.22.0 in `tests/` (e.g.
`name_tests.rs`) since those tests pass with the 0.22.0 sources too.
Unfortunately, this requires disabling a bunch of Clippy lints, to
avoid modifying the contents from 0.22.0.
(I know it is confusing. It took me a while to figure it out myself
today.)
2023-08-30 01:13:07 +00:00
|
|
|
let anchors = webpki::TlsServerTrustAnchors(&anchors);
|
2016-06-05 17:16:08 +00:00
|
|
|
|
2020-12-08 00:14:39 +00:00
|
|
|
#[allow(clippy::unreadable_literal)] // TODO: Make this clear.
|
2017-08-27 22:18:23 +00:00
|
|
|
let time = webpki::Time::from_seconds_since_unix_epoch(1492441716);
|
2017-04-17 08:55:34 +00:00
|
|
|
|
2020-08-28 00:11:44 +00:00
|
|
|
let cert = webpki::EndEntityCert::try_from(ee).unwrap();
|
2020-12-08 00:18:22 +00:00
|
|
|
assert_eq!(
|
|
|
|
|
Ok(()),
|
|
|
|
|
cert.verify_is_valid_tls_server_cert(ALL_SIGALGS, &anchors, &[inter], time)
|
|
|
|
|
);
|
2016-06-05 17:16:08 +00:00
|
|
|
}
|
2016-06-18 15:18:23 +00:00
|
|
|
|
2019-01-13 07:14:28 +00:00
|
|
|
#[test]
|
2019-03-29 01:22:01 +00:00
|
|
|
pub fn ed25519() {
|
2020-08-28 00:11:44 +00:00
|
|
|
let ee: &[u8] = include_bytes!("ed25519/ee.der");
|
2019-01-13 07:14:28 +00:00
|
|
|
let ca = include_bytes!("ed25519/ca.der");
|
|
|
|
|
|
2021-04-09 19:14:26 +00:00
|
|
|
let anchors = vec![webpki::TrustAnchor::try_from_cert_der(ca).unwrap()];
|
Revert main branch crate contents to the 0.22.0 release contents.
Reset the crate contents (sources, tests, etc.)
to what they were at that commit, while retaining the newer CI
configuration.
The changes since the 0.22.0 release were primarily intended to
accomplish two goals:
* Fix and improve the GitHub Actions configuration.
* Prepare a 0.21.5 release that was backward compatible with 0.21.4
but which also contained the improvements that were in 0.22.0.
0.21.5 was never released and will not be released. Therefore all
of the noise to facilitate the 0.21.5 release can just be deleted,
as long as we leave the CI changes that are necessary for GitHub
Actions to work correctly now.
The exact commands I used were:
```
git checkout \
6c334a2cf5853fb0aa93b5eb0318c031fc2f6f98 \
-- \
Cargo.toml \
LICENSE \
README.md \
src \
tests \
third-party
git rm src/trust_anchor_util.rs
```
Commit 6c334a2cf5853fb0aa93b5eb0318c031fc2f6f98 was the commit from
which 0.22.0 was released. It is confusing because the commit
immediately prior, 0b7cbf2d327d7665d9d06072bf46b2e7ca05f065, has
commit message "0.22.0". It appears that I merged the "0.22.0"
commit, expecting to `cargo publish` from that commit, but then
`cargo publish` failed. Then I added
6c334a2cf5853fb0aa93b5eb0318c031fc2f6f98 to fix `cargo publish`
and did the `cargo publish` from that commit. That's why I added
the `package` CI step at that time, to prevent this confusing
situation from happening again.
`trust_anchor_utils.rs` was not in 0.22.0; the `git checkout` didn't
delete it, so I had to do it separately.
I left the tests added subsequent to 0.22.0 in `tests/` (e.g.
`name_tests.rs`) since those tests pass with the 0.22.0 sources too.
Unfortunately, this requires disabling a bunch of Clippy lints, to
avoid modifying the contents from 0.22.0.
(I know it is confusing. It took me a while to figure it out myself
today.)
2023-08-30 01:13:07 +00:00
|
|
|
let anchors = webpki::TlsServerTrustAnchors(&anchors);
|
2019-01-13 07:14:28 +00:00
|
|
|
|
2020-12-08 00:14:39 +00:00
|
|
|
#[allow(clippy::unreadable_literal)] // TODO: Make this clear.
|
2019-01-13 07:14:28 +00:00
|
|
|
let time = webpki::Time::from_seconds_since_unix_epoch(1547363522);
|
|
|
|
|
|
2020-08-28 00:11:44 +00:00
|
|
|
let cert = webpki::EndEntityCert::try_from(ee).unwrap();
|
2020-12-08 00:18:22 +00:00
|
|
|
assert_eq!(
|
|
|
|
|
Ok(()),
|
|
|
|
|
cert.verify_is_valid_tls_server_cert(ALL_SIGALGS, &anchors, &[], time)
|
|
|
|
|
);
|
2019-01-13 07:14:28 +00:00
|
|
|
}
|
|
|
|
|
|
2016-06-18 15:18:23 +00:00
|
|
|
#[test]
|
|
|
|
|
fn read_root_with_zero_serial() {
|
|
|
|
|
let ca = include_bytes!("misc/serial_zero.der");
|
2021-04-09 19:14:26 +00:00
|
|
|
let _ =
|
|
|
|
|
webpki::TrustAnchor::try_from_cert_der(ca).expect("godaddy cert should parse as anchor");
|
2016-06-18 15:18:23 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#[test]
|
|
|
|
|
fn read_root_with_neg_serial() {
|
|
|
|
|
let ca = include_bytes!("misc/serial_neg.der");
|
2021-04-09 19:14:26 +00:00
|
|
|
let _ = webpki::TrustAnchor::try_from_cert_der(ca).expect("idcat cert should parse as anchor");
|
2016-06-18 15:18:23 +00:00
|
|
|
}
|
2017-04-17 08:55:34 +00:00
|
|
|
|
2017-08-18 20:46:35 +00:00
|
|
|
#[cfg(feature = "std")]
|
2017-04-17 08:55:34 +00:00
|
|
|
#[test]
|
2020-12-29 20:42:10 +00:00
|
|
|
fn time_constructor() {
|
|
|
|
|
let _ = webpki::Time::try_from(std::time::SystemTime::now()).unwrap();
|
|
|
|
|
}
|
