rust
/
webpki
mirror of https://github.com/briansmith/webpki
1
0
Fork 0
Code Issues Releases Wiki Activity

Upgrade to *ring* 0.17 and untrusted 0.9. 

untrusted 0.9 is used by *ring*. untrusted stopped providing a `PartialEq`
for `Input` in 0.9; this was the driver for all the code changes.
This commit is contained in:
Brian Smith 2023-09-29 20:53:57 -07:00
parent 301128fa01
commit 16a2638bd0
6 changed files with 32 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Cargo.toml
View File

@ -56,8 +56,8 @@ alloc = ["ring/alloc"]
std = ["alloc"]
[dependencies]
ring = { version = "0.16.19", default-features = false }
untrusted = "0.7.1"
ring = { version = "0.17.0", default-features = false }
untrusted = "0.9"
[dev-dependencies]
base64 = "0.9.1"

4
src/cert.rs
View File

@ -12,7 +12,7 @@
// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
use crate::{der, signed_data, Error};
use crate::{der, equal, signed_data, Error};
pub enum EndEntityOrCa<'a> {
EndEntity,
@ -66,7 +66,7 @@ pub(crate) fn parse_cert_internal<'a>(
// TODO: In mozilla::pkix, the comparison is done based on the
// normalized value (ignoring whether or not there is an optional NULL
// parameter for RSA-based algorithms), so this may be too strict.
if signature != signed_data.algorithm {
if !equal(signature, signed_data.algorithm) {
return Err(Error::SignatureAlgorithmMismatch);
}

6
src/lib.rs
View File

@ -95,3 +95,9 @@ pub type TLSServerTrustAnchors<'a> = TlsServerTrustAnchors<'a>;
#[deprecated(note = "use TlsClientTrustAnchors")]
#[allow(unknown_lints, clippy::upper_case_acronyms)]
pub type TLSClientTrustAnchors<'a> = TlsClientTrustAnchors<'a>;
// We don't operate on secret data so a convenient comparison function is warranted.
#[must_use]
fn equal(a: untrusted::Input, b: untrusted::Input) -> bool {
a.as_slice_less_safe() == b.as_slice_less_safe()
}

4
src/name/verify.rs
View File

@ -18,7 +18,7 @@ use super::{
};
use crate::{
cert::{Cert, EndEntityOrCa},
der, Error,
der, equal, Error,
};
pub fn verify_cert_dns_name(
@ -234,7 +234,7 @@ fn presented_directory_name_matches_constraint(
subtrees: Subtrees,
) -> bool {
match subtrees {
Subtrees::PermittedSubtrees => name == constraint,
Subtrees::PermittedSubtrees => equal(name, constraint),
Subtrees::ExcludedSubtrees => true,
}
}

17
src/signed_data.rs
View File

@ -12,7 +12,7 @@
// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
use crate::{der, Error};
use crate::{der, equal, Error};
use ring::signature;
/// X.509 certificates and related items that are signed are almost always
@ -313,7 +313,7 @@ struct AlgorithmIdentifier {
impl AlgorithmIdentifier {
fn matches_algorithm_id_value(&self, encoded: untrusted::Input) -> bool {
encoded == self.asn1_id_value
equal(encoded, self.asn1_id_value)
}
}
@ -461,10 +461,12 @@ mod tests {
let tsd = parse_test_signed_data(file_contents);
let signature = untrusted::Input::from(&tsd.signature);
assert_eq!(
Err(expected_error),
signature.read_all(Error::BadDer, |input| {
der::bit_string_with_no_unused_bits(input)
})
expected_error,
signature
.read_all(Error::BadDer, |input| {
der::bit_string_with_no_unused_bits(input)
})
.unwrap_err()
);
}
@ -482,10 +484,11 @@ mod tests {
let tsd = parse_test_signed_data(file_contents);
let spki = untrusted::Input::from(&tsd.spki);
assert_eq!(
Err(expected_error),
expected_error,
spki.read_all(Error::BadDer, |input| {
der::expect_tag_and_get_value(input, der::Tag::Sequence)
})
.unwrap_err()
);
}

17
src/verify_cert.rs
View File

@ -17,7 +17,7 @@ use core::default::Default;
use crate::{
budget::Budget,
cert::{self, Cert, EndEntityOrCa},
der,
der, equal,
error::ErrorOrInternalError,
name, signed_data, time, Error, SignatureAlgorithm, TrustAnchor,
};
@ -89,7 +89,7 @@ fn build_chain_inner(
match loop_while_non_fatal_error(trust_anchors, |trust_anchor: &TrustAnchor| {
let trust_anchor_subject = untrusted::Input::from(trust_anchor.subject);
if cert.issuer != trust_anchor_subject {
if !equal(cert.issuer, trust_anchor_subject) {
return Err(Error::UnknownIssuer.into());
}
@ -118,15 +118,15 @@ fn build_chain_inner(
let potential_issuer =
cert::parse_cert(untrusted::Input::from(cert_der), EndEntityOrCa::Ca(cert))?;
if potential_issuer.subject != cert.issuer {
if !equal(potential_issuer.subject, cert.issuer) {
return Err(Error::UnknownIssuer.into());
}
// Prevent loops; see RFC 4158 section 5.2.
let mut prev = cert;
loop {
if potential_issuer.spki.value() == prev.spki.value()
&& potential_issuer.subject == prev.subject
if equal(potential_issuer.spki.value(), prev.spki.value())
&& equal(potential_issuer.subject, prev.subject)
{
return Err(Error::UnknownIssuer.into());
}
@ -361,7 +361,7 @@ fn check_eku(
Some(input) => {
loop {
let value = der::expect_tag_and_get_value(input, der::Tag::OID)?;
if value == required_eku_if_present.oid_value {
if equal(value, required_eku_if_present.oid_value) {
input.skip_to_end();
break;
}
@ -381,7 +381,10 @@ fn check_eku(
// important that id-kp-OCSPSigning is explicit so that a normal
// end-entity certificate isn't able to sign trusted OCSP responses
// for itself or for other certificates issued by its issuing CA.
if required_eku_if_present.oid_value == EKU_OCSP_SIGNING.oid_value {
if equal(
required_eku_if_present.oid_value,
EKU_OCSP_SIGNING.oid_value,
) {
return Err(Error::RequiredEkuNotFound);
}