mirror of https://github.com/briansmith/webpki
Compare commits
5 Commits
24fc24d674
...
a463719ae3
Author | SHA1 | Date |
---|---|---|
Ben Noordhuis | a463719ae3 | |
Brian Smith | 94e6e88ed9 | |
Brian Smith | 9613e5d115 | |
Brian Smith | 8f81719df5 | |
Ben Noordhuis | 3cef1bf053 |
|
@ -141,7 +141,7 @@ jobs:
|
|||
|
||||
include:
|
||||
- target: aarch64-apple-darwin
|
||||
host_os: macos-13-xlarge
|
||||
host_os: macos-14
|
||||
|
||||
- target: aarch64-pc-windows-msvc
|
||||
host_os: windows-latest
|
||||
|
|
23
mk/cargo.sh
23
mk/cargo.sh
|
@ -21,6 +21,9 @@ rustflags_self_contained="-Clink-self-contained=yes -Clinker=rust-lld"
|
|||
qemu_aarch64="qemu-aarch64 -L /usr/aarch64-linux-gnu"
|
||||
qemu_arm_gnueabi="qemu-arm -L /usr/arm-linux-gnueabi"
|
||||
qemu_arm_gnueabihf="qemu-arm -L /usr/arm-linux-gnueabihf"
|
||||
qemu_mips="qemu-mips -L /usr/mips-linux-gnu"
|
||||
qemu_mips64="qemu-mips64 -L /usr/mips64-linux-gnuabi64"
|
||||
qemu_mips64el="qemu-mips64el -L /usr/mips64el-linux-gnuabi64"
|
||||
qemu_mipsel="qemu-mipsel -L /usr/mipsel-linux-gnu"
|
||||
qemu_powerpc="qemu-ppc -L /usr/powerpc-linux-gnu"
|
||||
qemu_powerpc64="qemu-ppc64 -L /usr/powerpc64-linux-gnu"
|
||||
|
@ -51,7 +54,7 @@ for arg in $*; do
|
|||
done
|
||||
|
||||
# See comments in install-build-tools.sh.
|
||||
llvm_version=16
|
||||
llvm_version=18
|
||||
|
||||
case $target in
|
||||
aarch64-linux-android)
|
||||
|
@ -112,6 +115,24 @@ case $target in
|
|||
export AR_i686_unknown_linux_musl=llvm-ar-$llvm_version
|
||||
export CARGO_TARGET_I686_UNKNOWN_LINUX_MUSL_RUSTFLAGS="$rustflags_self_contained"
|
||||
;;
|
||||
mips-unknown-linux-gnu)
|
||||
export CC_mips_unknown_linux_gnu=mips-linux-gnu-gcc
|
||||
export AR_mips_unknown_linux_gnu=mips-linux-gnu-gcc-ar
|
||||
export CARGO_TARGET_MIPS_UNKNOWN_LINUX_GNU_LINKER=mips-linux-gnu-gcc
|
||||
export CARGO_TARGET_MIPS_UNKNOWN_LINUX_GNU_RUNNER="$qemu_mips"
|
||||
;;
|
||||
mips64-unknown-linux-gnuabi64)
|
||||
export CC_mips64_unknown_linux_gnuabi64=mips64-linux-gnuabi64-gcc
|
||||
export AR_mips64_unknown_linux_gnuabi64=mips64-linux-gnuabi64-gcc-ar
|
||||
export CARGO_TARGET_MIPS64_UNKNOWN_LINUX_GNUABI64_LINKER=mips64-linux-gnuabi64-gcc
|
||||
export CARGO_TARGET_MIPS64_UNKNOWN_LINUX_GNUABI64_RUNNER="$qemu_mips64"
|
||||
;;
|
||||
mips64el-unknown-linux-gnuabi64)
|
||||
export CC_mips64el_unknown_linux_gnuabi64=mips64el-linux-gnuabi64-gcc
|
||||
export AR_mips64el_unknown_linux_gnuabi64=mips64el-linux-gnuabi64-gcc-ar
|
||||
export CARGO_TARGET_MIPS64EL_UNKNOWN_LINUX_GNUABI64_LINKER=mips64el-linux-gnuabi64-gcc
|
||||
export CARGO_TARGET_MIPS64EL_UNKNOWN_LINUX_GNUABI64_RUNNER="$qemu_mips64el"
|
||||
;;
|
||||
mipsel-unknown-linux-gnu)
|
||||
export CC_mipsel_unknown_linux_gnu=mipsel-linux-gnu-gcc
|
||||
export AR_mipsel_unknown_linux_gnu=mipsel-linux-gnu-gcc-ar
|
||||
|
|
|
@ -94,6 +94,24 @@ case $target in
|
|||
--target=loongarch64-unknown-linux-gnu)
|
||||
use_clang=1
|
||||
;;
|
||||
--target=mips-unknown-linux-gnu)
|
||||
install_packages \
|
||||
gcc-mips-linux-gnu \
|
||||
libc6-dev-mips-cross \
|
||||
qemu-user
|
||||
;;
|
||||
--target=mips64-unknown-linux-gnuabi64)
|
||||
install_packages \
|
||||
gcc-mips64-linux-gnuabi64 \
|
||||
libc6-dev-mips64-cross \
|
||||
qemu-user
|
||||
;;
|
||||
--target=mips64el-unknown-linux-gnuabi64)
|
||||
install_packages \
|
||||
gcc-mips64el-linux-gnuabi64 \
|
||||
libc6-dev-mips64el-cross \
|
||||
qemu-user
|
||||
;;
|
||||
--target=mipsel-unknown-linux-gnu)
|
||||
install_packages \
|
||||
gcc-mipsel-linux-gnu \
|
||||
|
@ -155,7 +173,7 @@ esac
|
|||
case "$OSTYPE" in
|
||||
linux*)
|
||||
ubuntu_codename=$(lsb_release --codename --short)
|
||||
llvm_version=16
|
||||
llvm_version=18
|
||||
sudo apt-key add mk/llvm-snapshot.gpg.key
|
||||
sudo add-apt-repository "deb http://apt.llvm.org/$ubuntu_codename/ llvm-toolchain-$ubuntu_codename-$llvm_version main"
|
||||
sudo apt-get update
|
||||
|
|
|
@ -14,7 +14,7 @@
|
|||
|
||||
use crate::{calendar, time, Error};
|
||||
pub use ring::io::{
|
||||
der::{nested, Tag, CONSTRUCTED},
|
||||
der::{nested, Tag},
|
||||
Positive,
|
||||
};
|
||||
|
||||
|
|
|
@ -70,10 +70,7 @@ pub fn check_name_constraints(
|
|||
if !inner.peek(subtrees_tag.into()) {
|
||||
return Ok(None);
|
||||
}
|
||||
let subtrees = der::nested(inner, subtrees_tag, Error::BadDer, |tagged| {
|
||||
der::expect_tag_and_get_value(tagged, der::Tag::Sequence)
|
||||
})?;
|
||||
Ok(Some(subtrees))
|
||||
der::expect_tag_and_get_value(inner, subtrees_tag).map(Some)
|
||||
}
|
||||
|
||||
let permitted_subtrees = parse_subtrees(input, der::Tag::ContextSpecificConstructed0)?;
|
||||
|
@ -167,6 +164,10 @@ fn check_presented_id_conforms_to_constraints_in_subtree(
|
|||
dns_name::presented_id_matches_constraint(name, base).ok_or(Error::BadDer)
|
||||
}
|
||||
|
||||
(GeneralName::DirectoryName(name), GeneralName::DnsName(base)) => {
|
||||
common_name(name).map(|cn| cn == base)
|
||||
}
|
||||
|
||||
(GeneralName::DirectoryName(name), GeneralName::DirectoryName(base)) => Ok(
|
||||
presented_directory_name_matches_constraint(name, base, subtrees),
|
||||
),
|
||||
|
@ -326,3 +327,18 @@ fn general_name<'a>(input: &mut untrusted::Reader<'a>) -> Result<GeneralName<'a>
|
|||
};
|
||||
Ok(name)
|
||||
}
|
||||
|
||||
static COMMON_NAME: untrusted::Input = untrusted::Input::from(&[85, 4, 3]);
|
||||
|
||||
fn common_name(input: untrusted::Input) -> Result<untrusted::Input, Error> {
|
||||
let inner = &mut untrusted::Reader::new(input);
|
||||
der::nested(inner, der::Tag::Set, Error::BadDer, |tagged| {
|
||||
der::nested(tagged, der::Tag::Sequence, Error::BadDer, |tagged| {
|
||||
let value = der::expect_tag_and_get_value(tagged, der::Tag::OID)?;
|
||||
if value != COMMON_NAME {
|
||||
return Err(Error::BadDer);
|
||||
}
|
||||
der::expect_tag_and_get_value(tagged, der::Tag::UTF8String)
|
||||
})
|
||||
})
|
||||
}
|
||||
|
|
|
@ -80,6 +80,7 @@ fn build_chain_inner(
|
|||
|
||||
// TODO: revocation.
|
||||
|
||||
#[allow(clippy::blocks_in_conditions)]
|
||||
match loop_while_non_fatal_error(trust_anchors, |trust_anchor: &TrustAnchor| {
|
||||
let trust_anchor_subject = untrusted::Input::from(trust_anchor.subject);
|
||||
if !equal(cert.issuer, trust_anchor_subject) {
|
||||
|
|
|
@ -53,6 +53,25 @@ pub fn netflix() {
|
|||
);
|
||||
}
|
||||
|
||||
#[cfg(feature = "alloc")]
|
||||
#[test]
|
||||
pub fn wpt() {
|
||||
let ee: &[u8] = include_bytes!("wpt/ee.der");
|
||||
let ca = include_bytes!("wpt/ca.der");
|
||||
|
||||
let anchors = vec![webpki::TrustAnchor::try_from_cert_der(ca).unwrap()];
|
||||
let anchors = webpki::TlsServerTrustAnchors(&anchors);
|
||||
|
||||
#[allow(clippy::unreadable_literal)] // TODO: Make this clear.
|
||||
let time = webpki::Time::from_seconds_since_unix_epoch(1619256684);
|
||||
|
||||
let cert = webpki::EndEntityCert::try_from(ee).unwrap();
|
||||
assert_eq!(
|
||||
Ok(()),
|
||||
cert.verify_is_valid_tls_server_cert(ALL_SIGALGS, &anchors, &[], time)
|
||||
);
|
||||
}
|
||||
|
||||
#[test]
|
||||
pub fn ed25519() {
|
||||
let ee: &[u8] = include_bytes!("ed25519/ee.der");
|
||||
|
|
Binary file not shown.
Binary file not shown.
Loading…
Reference in New Issue