Upgrade webpki
Some checks failed
moparisthebest/xmpp-proxy/pipeline/head There was a failure building this commit

This commit is contained in:
Travis Burtrum 2023-08-17 00:21:35 -04:00
parent a02ad734b7
commit d34ab513e9
4 changed files with 11 additions and 21 deletions

14
Cargo.lock generated
View File

@ -1200,7 +1200,7 @@ checksum = "1d1feddffcfcc0b33f5c6ce9a29e341e4cd59c3f78e7ee45f4a40c038b1d6cbb"
dependencies = [
"log",
"ring",
"rustls-webpki 0.101.3",
"rustls-webpki",
"sct",
]
@ -1225,16 +1225,6 @@ dependencies = [
"base64",
]
[[package]]
name = "rustls-webpki"
version = "0.100.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d6207cd5ed3d8dca7816f8f3725513a34609c0c765bf652b8c3cb4cfd87db46b"
dependencies = [
"ring",
"untrusted",
]
[[package]]
name = "rustls-webpki"
version = "0.101.3"
@ -2088,7 +2078,7 @@ dependencies = [
"rustls",
"rustls-native-certs",
"rustls-pemfile",
"rustls-webpki 0.100.1",
"rustls-webpki",
"serde",
"serde_derive",
"serde_json",

View File

@ -45,7 +45,7 @@ env_logger = { version = "0.10", optional = true, features = [] }
# incoming deps
tokio-rustls = { version = "0.24", optional = true }
webpki = { package = "rustls-webpki", version = "0.100", optional = true }
webpki = { package = "rustls-webpki", version = "0.101", optional = true }
# outgoing deps
lazy_static = "1.4"

View File

@ -1,9 +1,9 @@
#[cfg(feature = "webpki")]
use webpki::{TlsServerTrustAnchors, TrustAnchor};
use webpki::TrustAnchor;
#[cfg(all(feature = "webpki-roots", not(feature = "rustls-native-certs")))]
lazy_static::lazy_static! {
pub static ref TLS_SERVER_ROOTS: TlsServerTrustAnchors<'static> = {
pub static ref TLS_SERVER_ROOTS: &'static [TrustAnchor<'static>] = {
let root_cert_store: &mut Box<Vec<_>> = Box::leak(Box::default());
for ta in webpki_roots::TLS_SERVER_ROOTS {
let ta = TrustAnchor {
@ -13,13 +13,13 @@ lazy_static::lazy_static! {
};
root_cert_store.push(ta);
}
TlsServerTrustAnchors(root_cert_store)
root_cert_store
};
}
#[cfg(all(feature = "rustls-native-certs", not(feature = "webpki-roots")))]
lazy_static::lazy_static! {
pub static ref TLS_SERVER_ROOTS: TlsServerTrustAnchors<'static> = {
pub static ref TLS_SERVER_ROOTS: &'static [TrustAnchor<'static>] = {
// we need these to stick around for 'static, this is only called once so no problem
let certs = Box::leak(Box::new(rustls_native_certs::load_native_certs().expect("could not load platform certs")));
let root_cert_store: &mut Box<Vec<_>> = Box::leak(Box::default());
@ -29,7 +29,7 @@ lazy_static::lazy_static! {
root_cert_store.push(ta);
}
}
TlsServerTrustAnchors(root_cert_store)
root_cert_store
};
}
@ -38,7 +38,6 @@ pub fn root_cert_store() -> rustls::RootCertStore {
let mut root_cert_store = RootCertStore::empty();
root_cert_store.add_trust_anchors(
TLS_SERVER_ROOTS
.0
.iter()
.map(|ta| OwnedTrustAnchor::from_subject_spki_name_constraints(ta.subject, ta.spki, ta.name_constraints)),
);

View File

@ -10,7 +10,7 @@ use rustls::{
Certificate, CertificateError, DistinguishedName, Error, ServerName,
};
use std::{convert::TryFrom, time::SystemTime};
use webpki::DnsName;
use webpki::{DnsName, KeyUsage};
type SignatureAlgorithms = &'static [&'static webpki::SignatureAlgorithm];
@ -45,7 +45,8 @@ pub fn verify_is_valid_tls_server_cert<'a>(end_entity: &'a Certificate, intermed
let (cert, chain) = prepare(end_entity, intermediates)?;
let webpki_now = webpki::Time::try_from(now).map_err(|_| Error::FailedToGetCurrentTime)?;
cert.verify_is_valid_tls_server_cert(SUPPORTED_SIG_ALGS, &TLS_SERVER_ROOTS, &chain, webpki_now).map_err(pki_error)?;
cert.verify_for_usage(SUPPORTED_SIG_ALGS, &TLS_SERVER_ROOTS, &chain, webpki_now, KeyUsage::server_auth(), &[])
.map_err(pki_error)?;
Ok(cert)
}