diff --git a/Cargo.lock b/Cargo.lock index d8512fbfda2..13c62354b0e 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -939,9 +939,9 @@ dependencies = [ [[package]] name = "rustls-webpki" -version = "0.102.0-alpha.4" +version = "0.102.0-alpha.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "aa3ae0c05ae540f6d9089b731c26e49863058f03082dcef070df987bcc8db7ba" +checksum = "34d9ed3a8267782ba32d257ff5b197b63eef19a467dbd1be011caaae35ee416e" dependencies = [ "ring 0.17.2", "rustls-pki-types", diff --git a/fuzz/Cargo.lock b/fuzz/Cargo.lock index ee9c17bc68f..7f34b0e15ba 100644 --- a/fuzz/Cargo.lock +++ b/fuzz/Cargo.lock @@ -97,9 +97,9 @@ checksum = "a47003264dea418db67060fa420ad16d0d2f8f0a0360d825c00e177ac52cb5d8" [[package]] name = "rustls-webpki" -version = "0.102.0-alpha.4" +version = "0.102.0-alpha.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "aa3ae0c05ae540f6d9089b731c26e49863058f03082dcef070df987bcc8db7ba" +checksum = "34d9ed3a8267782ba32d257ff5b197b63eef19a467dbd1be011caaae35ee416e" dependencies = [ "ring", "rustls-pki-types", diff --git a/rustls/Cargo.toml b/rustls/Cargo.toml index b589c7794bd..32046a2f600 100644 --- a/rustls/Cargo.toml +++ b/rustls/Cargo.toml @@ -19,7 +19,7 @@ rustversion = { version = "1.0.6", optional = true } log = { version = "0.4.4", optional = true } ring = { version = "0.17", optional = true } subtle = "2.5.0" -webpki = { package = "rustls-webpki", version = "=0.102.0-alpha.4", features = ["alloc", "std"], default-features = false } +webpki = { package = "rustls-webpki", version = "=0.102.0-alpha.6", features = ["alloc", "std"], default-features = false } pki-types = { package = "rustls-pki-types", version = "0.2.1", features = ["std"] } zeroize = "1.6.0" diff --git a/rustls/src/webpki/client_verifier.rs b/rustls/src/webpki/client_verifier.rs index 1ffa40fd73b..1a9219d8c18 100644 --- a/rustls/src/webpki/client_verifier.rs +++ b/rustls/src/webpki/client_verifier.rs @@ -2,20 +2,16 @@ use alloc::sync::Arc; use alloc::vec::Vec; use pki_types::{CertificateDer, CertificateRevocationListDer, UnixTime}; -use webpki::{ - BorrowedCertRevocationList, OwnedCertRevocationList, RevocationCheckDepth, UnknownStatusPolicy, -}; +use webpki::{CertRevocationList, RevocationCheckDepth, UnknownStatusPolicy}; -use super::{borrow_crls, crl_error, pki_error, VerifierBuilderError}; +use super::{pki_error, VerifierBuilderError}; use crate::verify::{ ClientCertVerified, ClientCertVerifier, DigitallySignedStruct, HandshakeSignatureValid, NoClientAuth, }; +use crate::webpki::parse_crls; use crate::webpki::verify::{verify_signed_struct, verify_tls13, ParsedCertificate}; -use crate::{ - CertRevocationListError, DistinguishedName, Error, RootCertStore, SignatureScheme, - WebPkiSupportedAlgorithms, -}; +use crate::{DistinguishedName, Error, RootCertStore, SignatureScheme, WebPkiSupportedAlgorithms}; /// A builder for configuring a `webpki` client certificate verifier. /// @@ -144,14 +140,7 @@ impl ClientCertVerifierBuilder { Ok(Arc::new(WebPkiClientVerifier::new( self.roots, - self.crls - .into_iter() - .map(|der_crl| { - BorrowedCertRevocationList::from_der(der_crl.as_ref()) - .and_then(|crl| crl.to_owned()) - .map_err(crl_error) - }) - .collect::, CertRevocationListError>>()?, + parse_crls(self.crls)?, self.revocation_check_depth, self.unknown_revocation_policy, self.anon_policy, @@ -215,7 +204,7 @@ impl ClientCertVerifierBuilder { pub struct WebPkiClientVerifier { roots: Arc, subjects: Vec, - crls: Vec, + crls: Vec>, revocation_check_depth: RevocationCheckDepth, unknown_revocation_policy: UnknownStatusPolicy, anonymous_policy: AnonymousClientPolicy, @@ -256,7 +245,7 @@ impl WebPkiClientVerifier { /// * `supported_algs` specifies which signature verification algorithms should be used. pub(crate) fn new( roots: Arc, - crls: Vec, + crls: Vec>, revocation_check_depth: RevocationCheckDepth, unknown_revocation_policy: UnknownStatusPolicy, anonymous_policy: AnonymousClientPolicy, @@ -301,21 +290,19 @@ impl ClientCertVerifier for WebPkiClientVerifier { now: UnixTime, ) -> Result { let cert = ParsedCertificate::try_from(end_entity)?; - let crls = borrow_crls(&self.crls); - let revocation = if crls.is_empty() { + let crl_refs = self.crls.iter().collect::>(); + + let revocation = if self.crls.is_empty() { None } else { - let mut builder = webpki::RevocationOptionsBuilder::new(&crls) - .expect("invalid crls") - .with_depth(self.revocation_check_depth); - if matches!( - self.unknown_revocation_policy, - webpki::UnknownStatusPolicy::Allow - ) { - builder = builder.allow_unknown_status(); - } - Some(builder.build()) + Some( + webpki::RevocationOptionsBuilder::new(&crl_refs) + .unwrap() + .with_depth(self.revocation_check_depth) + .with_status_policy(self.unknown_revocation_policy) + .build(), + ) }; cert.0 @@ -326,6 +313,7 @@ impl ClientCertVerifier for WebPkiClientVerifier { now, webpki::KeyUsage::client_auth(), revocation, + None, ) .map_err(pki_error) .map(|_| ClientCertVerified::assertion()) diff --git a/rustls/src/webpki/mod.rs b/rustls/src/webpki/mod.rs index 589e4c074fd..d72edc23b67 100644 --- a/rustls/src/webpki/mod.rs +++ b/rustls/src/webpki/mod.rs @@ -1,7 +1,10 @@ use alloc::sync::Arc; use alloc::vec::Vec; use core::fmt; + +use pki_types::CertificateRevocationListDer; use std::error::Error as StdError; +use webpki::{CertRevocationList, OwnedCertRevocationList}; use crate::error::{CertRevocationListError, CertificateError, Error}; @@ -104,13 +107,13 @@ fn crl_error(e: webpki::Error) -> CertRevocationListError { } } -fn borrow_crls( - crls: &Vec, -) -> Vec<&dyn webpki::CertRevocationList> { - #[allow(trivial_casts)] // Cast to &dyn trait is required. +fn parse_crls( + crls: Vec>, +) -> Result>, CertRevocationListError> { crls.iter() - .map(|crl| crl as &dyn webpki::CertRevocationList) - .collect::>() + .map(|der| OwnedCertRevocationList::from_der(der.as_ref()).map(Into::into)) + .collect::, _>>() + .map_err(crl_error) } mod tests { diff --git a/rustls/src/webpki/server_verifier.rs b/rustls/src/webpki/server_verifier.rs index d57578cc34b..150d86433a0 100644 --- a/rustls/src/webpki/server_verifier.rs +++ b/rustls/src/webpki/server_verifier.rs @@ -4,9 +4,7 @@ use alloc::sync::Arc; use alloc::vec::Vec; use pki_types::{CertificateDer, CertificateRevocationListDer, UnixTime}; -use webpki::{ - BorrowedCertRevocationList, OwnedCertRevocationList, RevocationCheckDepth, UnknownStatusPolicy, -}; +use webpki::{CertRevocationList, RevocationCheckDepth, UnknownStatusPolicy}; use crate::verify::{ DigitallySignedStruct, HandshakeSignatureValid, ServerCertVerified, ServerCertVerifier, @@ -17,11 +15,8 @@ use crate::webpki::verify::{ verify_server_cert_signed_by_trust_anchor_impl, verify_signed_struct, verify_tls13, ParsedCertificate, }; -use crate::webpki::{borrow_crls, crl_error, verify_server_name, VerifierBuilderError}; -use crate::{ - CertRevocationListError, Error, RootCertStore, ServerName, SignatureScheme, - WebPkiSupportedAlgorithms, -}; +use crate::webpki::{parse_crls, verify_server_name, VerifierBuilderError}; +use crate::{Error, RootCertStore, ServerName, SignatureScheme, WebPkiSupportedAlgorithms}; /// A builder for configuring a `webpki` server certificate verifier. /// @@ -127,14 +122,7 @@ impl ServerCertVerifierBuilder { Ok(Arc::new(WebPkiServerVerifier::new( self.roots, - self.crls - .into_iter() - .map(|der_crl| { - BorrowedCertRevocationList::from_der(der_crl.as_ref()) - .and_then(|crl| crl.to_owned()) - .map_err(crl_error) - }) - .collect::, CertRevocationListError>>()?, + parse_crls(self.crls)?, self.revocation_check_depth, self.unknown_revocation_policy, supported_algs, @@ -146,7 +134,7 @@ impl ServerCertVerifierBuilder { #[allow(unreachable_pub)] pub struct WebPkiServerVerifier { roots: Arc, - crls: Vec, + crls: Vec>, revocation_check_depth: RevocationCheckDepth, unknown_revocation_policy: UnknownStatusPolicy, supported: WebPkiSupportedAlgorithms, @@ -188,7 +176,7 @@ impl WebPkiServerVerifier { /// certificate verification and TLS handshake signature verification. pub(crate) fn new( roots: impl Into>, - crls: Vec, + crls: Vec>, revocation_check_depth: RevocationCheckDepth, unknown_revocation_policy: UnknownStatusPolicy, supported: WebPkiSupportedAlgorithms, @@ -253,22 +241,20 @@ impl ServerCertVerifier for WebPkiServerVerifier { ) -> Result { let cert = ParsedCertificate::try_from(end_entity)?; - let crls = borrow_crls(&self.crls); - let revocation = if crls.is_empty() { + let crl_refs = self.crls.iter().collect::>(); + + let revocation = if self.crls.is_empty() { None } else { // Note: unwrap here is safe because RevocationOptionsBuilder only errors when given // empty CRLs. - let mut builder = webpki::RevocationOptionsBuilder::new(&crls) - .unwrap() - .with_depth(self.revocation_check_depth); - if matches!( - self.unknown_revocation_policy, - webpki::UnknownStatusPolicy::Allow - ) { - builder = builder.allow_unknown_status(); - } - Some(builder.build()) + Some( + webpki::RevocationOptionsBuilder::new(crl_refs.as_slice()) + .unwrap() + .with_depth(self.revocation_check_depth) + .with_status_policy(self.unknown_revocation_policy) + .build(), + ) }; // Note: we use the crate-internal `_impl` fn here in order to provide revocation diff --git a/rustls/src/webpki/verify.rs b/rustls/src/webpki/verify.rs index 026184e5df1..46cda9904ad 100644 --- a/rustls/src/webpki/verify.rs +++ b/rustls/src/webpki/verify.rs @@ -285,6 +285,7 @@ pub(crate) fn verify_server_cert_signed_by_trust_anchor_impl( now, webpki::KeyUsage::server_auth(), revocation, + None, ); match result { Ok(_) => Ok(()),