Move SCT verification into the CertificateTransparencyPolicy type

rustls · Sep 15, 2021 · 8efc9a4 · 8efc9a4
1 parent 59d895e
commit 8efc9a4
Showing 1 changed file with 49 additions and 49 deletions.
diff --git a/rustls/src/verify.rs b/rustls/src/verify.rs
@@ -308,13 +308,7 @@ impl ServerCertVerifier for WebPkiVerifier {
             .map(|_| cert)?;
 
         if let Some(policy) = &self.ct_policy {
-            match policy
-                .validation_deadline
-                .duration_since(now)
-            {
-                Ok(_) => verify_scts(end_entity, now, scts, policy.logs)?,
-                Err(_) => warn!("certificate transparency logs have expired, validation disabled"),
-            }
+            policy.verify(end_entity, now, scts)?;
         }
 
         if !ocsp_response.is_empty() {
@@ -389,6 +383,54 @@ impl CertificateTransparencyPolicy {
             validation_deadline,
         }
     }
+
+    fn verify(
+        &self,
+        cert: &Certificate,
+        now: SystemTime,
+        scts: &mut dyn Iterator<Item = &[u8]>,
+    ) -> Result<(), Error> {
+        if self.logs.is_empty() {
+            return Ok(());
+        } else if let Err(_) = self
+            .validation_deadline
+            .duration_since(now)
+        {
+            warn!("certificate transparency logs have expired, validation disabled");
+            return Ok(());
+        }
+
+        let now = unix_time_millis(now)?;
+        let mut last_sct_error = None;
+        for sct in scts {
+            #[cfg_attr(not(feature = "logging"), allow(unused_variables))]
+            match sct::verify_sct(&cert.0, sct, now, self.logs) {
+                Ok(index) => {
+                    debug!(
+                        "Valid SCT signed by {} on {}",
+                        self.logs[index].operated_by, self.logs[index].description
+                    );
+                    return Ok(());
+                }
+                Err(e) => {
+                    if e.should_be_fatal() {
+                        return Err(Error::InvalidSct(e));
+                    }
+                    debug!("SCT ignored because {:?}", e);
+                    last_sct_error = Some(e);
+                }
+            }
+        }
+
+        /* If we were supplied with some logs, and some SCTs,
+         * but couldn't verify any of them, fail the handshake. */
+        if let Some(last_sct_error) = last_sct_error {
+            warn!("No valid SCTs provided");
+            return Err(Error::InvalidSct(last_sct_error));
+        }
+
+        Ok(())
+    }
 }
 
 type CertChainAndRoots<'a, 'b> = (
@@ -684,45 +726,3 @@ fn unix_time_millis(now: SystemTime) -> Result<u64, Error> {
                 .ok_or(Error::FailedToGetCurrentTime)
         })
 }
-
-fn verify_scts(
-    cert: &Certificate,
-    now: SystemTime,
-    scts: &mut dyn Iterator<Item = &[u8]>,
-    logs: &[&sct::Log],
-) -> Result<(), Error> {
-    if logs.is_empty() {
-        return Ok(());
-    }
-
-    let now = unix_time_millis(now)?;
-    let mut last_sct_error = None;
-    for sct in scts {
-        #[cfg_attr(not(feature = "logging"), allow(unused_variables))]
-        match sct::verify_sct(&cert.0, sct, now, logs) {
-            Ok(index) => {
-                debug!(
-                    "Valid SCT signed by {} on {}",
-                    logs[index].operated_by, logs[index].description
-                );
-                return Ok(());
-            }
-            Err(e) => {
-                if e.should_be_fatal() {
-                    return Err(Error::InvalidSct(e));
-                }
-                debug!("SCT ignored because {:?}", e);
-                last_sct_error = Some(e);
-            }
-        }
-    }
-
-    /* If we were supplied with some logs, and some SCTs,
-     * but couldn't verify any of them, fail the handshake. */
-    if let Some(last_sct_error) = last_sct_error {
-        warn!("No valid SCTs provided");
-        return Err(Error::InvalidSct(last_sct_error));
-    }
-
-    Ok(())
-}