mirror of https://github.com/briansmith/webpki
Compare commits
5 Commits
a3d2169045
...
d936ff4e2b
Author | SHA1 | Date |
---|---|---|
Lu Xiaoyu | d936ff4e2b | |
Brian Smith | 94e6e88ed9 | |
Brian Smith | 9613e5d115 | |
Brian Smith | 8f81719df5 | |
Xiaoyu Lu | eb358ea1cf |
|
@ -141,7 +141,7 @@ jobs:
|
|||
|
||||
include:
|
||||
- target: aarch64-apple-darwin
|
||||
host_os: macos-13-xlarge
|
||||
host_os: macos-14
|
||||
|
||||
- target: aarch64-pc-windows-msvc
|
||||
host_os: windows-latest
|
||||
|
|
23
mk/cargo.sh
23
mk/cargo.sh
|
@ -21,6 +21,9 @@ rustflags_self_contained="-Clink-self-contained=yes -Clinker=rust-lld"
|
|||
qemu_aarch64="qemu-aarch64 -L /usr/aarch64-linux-gnu"
|
||||
qemu_arm_gnueabi="qemu-arm -L /usr/arm-linux-gnueabi"
|
||||
qemu_arm_gnueabihf="qemu-arm -L /usr/arm-linux-gnueabihf"
|
||||
qemu_mips="qemu-mips -L /usr/mips-linux-gnu"
|
||||
qemu_mips64="qemu-mips64 -L /usr/mips64-linux-gnuabi64"
|
||||
qemu_mips64el="qemu-mips64el -L /usr/mips64el-linux-gnuabi64"
|
||||
qemu_mipsel="qemu-mipsel -L /usr/mipsel-linux-gnu"
|
||||
qemu_powerpc="qemu-ppc -L /usr/powerpc-linux-gnu"
|
||||
qemu_powerpc64="qemu-ppc64 -L /usr/powerpc64-linux-gnu"
|
||||
|
@ -51,7 +54,7 @@ for arg in $*; do
|
|||
done
|
||||
|
||||
# See comments in install-build-tools.sh.
|
||||
llvm_version=16
|
||||
llvm_version=18
|
||||
|
||||
case $target in
|
||||
aarch64-linux-android)
|
||||
|
@ -112,6 +115,24 @@ case $target in
|
|||
export AR_i686_unknown_linux_musl=llvm-ar-$llvm_version
|
||||
export CARGO_TARGET_I686_UNKNOWN_LINUX_MUSL_RUSTFLAGS="$rustflags_self_contained"
|
||||
;;
|
||||
mips-unknown-linux-gnu)
|
||||
export CC_mips_unknown_linux_gnu=mips-linux-gnu-gcc
|
||||
export AR_mips_unknown_linux_gnu=mips-linux-gnu-gcc-ar
|
||||
export CARGO_TARGET_MIPS_UNKNOWN_LINUX_GNU_LINKER=mips-linux-gnu-gcc
|
||||
export CARGO_TARGET_MIPS_UNKNOWN_LINUX_GNU_RUNNER="$qemu_mips"
|
||||
;;
|
||||
mips64-unknown-linux-gnuabi64)
|
||||
export CC_mips64_unknown_linux_gnuabi64=mips64-linux-gnuabi64-gcc
|
||||
export AR_mips64_unknown_linux_gnuabi64=mips64-linux-gnuabi64-gcc-ar
|
||||
export CARGO_TARGET_MIPS64_UNKNOWN_LINUX_GNUABI64_LINKER=mips64-linux-gnuabi64-gcc
|
||||
export CARGO_TARGET_MIPS64_UNKNOWN_LINUX_GNUABI64_RUNNER="$qemu_mips64"
|
||||
;;
|
||||
mips64el-unknown-linux-gnuabi64)
|
||||
export CC_mips64el_unknown_linux_gnuabi64=mips64el-linux-gnuabi64-gcc
|
||||
export AR_mips64el_unknown_linux_gnuabi64=mips64el-linux-gnuabi64-gcc-ar
|
||||
export CARGO_TARGET_MIPS64EL_UNKNOWN_LINUX_GNUABI64_LINKER=mips64el-linux-gnuabi64-gcc
|
||||
export CARGO_TARGET_MIPS64EL_UNKNOWN_LINUX_GNUABI64_RUNNER="$qemu_mips64el"
|
||||
;;
|
||||
mipsel-unknown-linux-gnu)
|
||||
export CC_mipsel_unknown_linux_gnu=mipsel-linux-gnu-gcc
|
||||
export AR_mipsel_unknown_linux_gnu=mipsel-linux-gnu-gcc-ar
|
||||
|
|
|
@ -94,6 +94,24 @@ case $target in
|
|||
--target=loongarch64-unknown-linux-gnu)
|
||||
use_clang=1
|
||||
;;
|
||||
--target=mips-unknown-linux-gnu)
|
||||
install_packages \
|
||||
gcc-mips-linux-gnu \
|
||||
libc6-dev-mips-cross \
|
||||
qemu-user
|
||||
;;
|
||||
--target=mips64-unknown-linux-gnuabi64)
|
||||
install_packages \
|
||||
gcc-mips64-linux-gnuabi64 \
|
||||
libc6-dev-mips64-cross \
|
||||
qemu-user
|
||||
;;
|
||||
--target=mips64el-unknown-linux-gnuabi64)
|
||||
install_packages \
|
||||
gcc-mips64el-linux-gnuabi64 \
|
||||
libc6-dev-mips64el-cross \
|
||||
qemu-user
|
||||
;;
|
||||
--target=mipsel-unknown-linux-gnu)
|
||||
install_packages \
|
||||
gcc-mipsel-linux-gnu \
|
||||
|
@ -155,7 +173,7 @@ esac
|
|||
case "$OSTYPE" in
|
||||
linux*)
|
||||
ubuntu_codename=$(lsb_release --codename --short)
|
||||
llvm_version=16
|
||||
llvm_version=18
|
||||
sudo apt-key add mk/llvm-snapshot.gpg.key
|
||||
sudo add-apt-repository "deb http://apt.llvm.org/$ubuntu_codename/ llvm-toolchain-$ubuntu_codename-$llvm_version main"
|
||||
sudo apt-get update
|
||||
|
|
|
@ -14,7 +14,7 @@
|
|||
|
||||
use crate::{calendar, time, Error};
|
||||
pub use ring::io::{
|
||||
der::{nested, Tag, CONSTRUCTED},
|
||||
der::{nested, Tag},
|
||||
Positive,
|
||||
};
|
||||
|
||||
|
|
|
@ -239,4 +239,39 @@ impl<'a> EndEntityCert<'a> {
|
|||
untrusted::Input::from(signature),
|
||||
)
|
||||
}
|
||||
|
||||
/// Verifies that the end-entity certificate is valid for use by cert chain
|
||||
///
|
||||
/// `required_eku` is the Certificate Extended Key Usage Oid in bytes.
|
||||
/// If the certificate is not valid for `required_eku` then this
|
||||
/// fails with `Error::CertNotValidForName`.
|
||||
/// `supported_sig_algs` is the list of signature algorithms that are
|
||||
/// trusted for use in certificate signatures; the end-entity certificate's
|
||||
/// public key is not validated against this list. `trust_anchors` is the
|
||||
/// list of root CAs to trust. `intermediate_certs` is the sequence of
|
||||
/// intermediate certificates that the client sent in the TLS handshake.
|
||||
/// `cert` is the purported end-entity certificate of the client. `time` is
|
||||
/// the time for which the validation is effective (usually the current
|
||||
/// time).
|
||||
///
|
||||
pub fn verify_is_valid_cert_with_eku(
|
||||
&self,
|
||||
required_eku: &'static [u8],
|
||||
supported_sig_algs: &[&SignatureAlgorithm],
|
||||
trust_anchors: &[crate::TrustAnchor],
|
||||
intermediate_certs: &[&[u8]],
|
||||
time: Time,
|
||||
) -> Result<(), Error> {
|
||||
let eku = verify_cert::KeyPurposeId::new(required_eku);
|
||||
|
||||
crate::verify_cert::build_chain(
|
||||
eku,
|
||||
supported_sig_algs,
|
||||
trust_anchors,
|
||||
intermediate_certs,
|
||||
&self.inner,
|
||||
time,
|
||||
0,
|
||||
)
|
||||
}
|
||||
}
|
||||
|
|
|
@ -80,6 +80,7 @@ fn build_chain_inner(
|
|||
|
||||
// TODO: revocation.
|
||||
|
||||
#[allow(clippy::blocks_in_conditions)]
|
||||
match loop_while_non_fatal_error(trust_anchors, |trust_anchor: &TrustAnchor| {
|
||||
let trust_anchor_subject = untrusted::Input::from(trust_anchor.subject);
|
||||
if !equal(cert.issuer, trust_anchor_subject) {
|
||||
|
@ -309,6 +310,22 @@ pub struct KeyPurposeId {
|
|||
oid_value: untrusted::Input<'static>,
|
||||
}
|
||||
|
||||
impl KeyPurposeId {
|
||||
/// Construct a new `KeyPurposeId`
|
||||
///
|
||||
/// `oid` is the OBJECT IDENTIFIER in bytes.
|
||||
///
|
||||
/// For example:
|
||||
/// static EKU_SERVER_AUTH_BYTES: &'static [u8] = &[(40 * 1) + 3, 6, 1, 5, 5, 7, 3, 1];
|
||||
/// let oid = KeyPurposeId::new(EKU_SERVER_AUTH_BYTES);
|
||||
///
|
||||
pub fn new(oid: &'static [u8]) -> Self {
|
||||
KeyPurposeId {
|
||||
oid_value: untrusted::Input::from(oid),
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// id-pkix OBJECT IDENTIFIER ::= { 1 3 6 1 5 5 7 }
|
||||
// id-kp OBJECT IDENTIFIER ::= { id-pkix 3 }
|
||||
|
||||
|
|
Loading…
Reference in New Issue