From d34ab513e9e1b4299748ef876a12e4d0a04ff0ac Mon Sep 17 00:00:00 2001 From: moparisthebest Date: Thu, 17 Aug 2023 00:21:35 -0400 Subject: [PATCH] Upgrade webpki --- Cargo.lock | 14 ++------------ Cargo.toml | 2 +- src/common/ca_roots.rs | 11 +++++------ src/verify.rs | 5 +++-- 4 files changed, 11 insertions(+), 21 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 112f2ab..6d99bdf 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1200,7 +1200,7 @@ checksum = "1d1feddffcfcc0b33f5c6ce9a29e341e4cd59c3f78e7ee45f4a40c038b1d6cbb" dependencies = [ "log", "ring", - "rustls-webpki 0.101.3", + "rustls-webpki", "sct", ] @@ -1225,16 +1225,6 @@ dependencies = [ "base64", ] -[[package]] -name = "rustls-webpki" -version = "0.100.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d6207cd5ed3d8dca7816f8f3725513a34609c0c765bf652b8c3cb4cfd87db46b" -dependencies = [ - "ring", - "untrusted", -] - [[package]] name = "rustls-webpki" version = "0.101.3" @@ -2088,7 +2078,7 @@ dependencies = [ "rustls", "rustls-native-certs", "rustls-pemfile", - "rustls-webpki 0.100.1", + "rustls-webpki", "serde", "serde_derive", "serde_json", diff --git a/Cargo.toml b/Cargo.toml index 6df5855..cb0c1c2 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -45,7 +45,7 @@ env_logger = { version = "0.10", optional = true, features = [] } # incoming deps tokio-rustls = { version = "0.24", optional = true } -webpki = { package = "rustls-webpki", version = "0.100", optional = true } +webpki = { package = "rustls-webpki", version = "0.101", optional = true } # outgoing deps lazy_static = "1.4" diff --git a/src/common/ca_roots.rs b/src/common/ca_roots.rs index ff52897..ff4e3f0 100644 --- a/src/common/ca_roots.rs +++ b/src/common/ca_roots.rs @@ -1,9 +1,9 @@ #[cfg(feature = "webpki")] -use webpki::{TlsServerTrustAnchors, TrustAnchor}; +use webpki::TrustAnchor; #[cfg(all(feature = "webpki-roots", not(feature = "rustls-native-certs")))] lazy_static::lazy_static! { - pub static ref TLS_SERVER_ROOTS: TlsServerTrustAnchors<'static> = { + pub static ref TLS_SERVER_ROOTS: &'static [TrustAnchor<'static>] = { let root_cert_store: &mut Box> = Box::leak(Box::default()); for ta in webpki_roots::TLS_SERVER_ROOTS { let ta = TrustAnchor { @@ -13,13 +13,13 @@ lazy_static::lazy_static! { }; root_cert_store.push(ta); } - TlsServerTrustAnchors(root_cert_store) + root_cert_store }; } #[cfg(all(feature = "rustls-native-certs", not(feature = "webpki-roots")))] lazy_static::lazy_static! { - pub static ref TLS_SERVER_ROOTS: TlsServerTrustAnchors<'static> = { + pub static ref TLS_SERVER_ROOTS: &'static [TrustAnchor<'static>] = { // we need these to stick around for 'static, this is only called once so no problem let certs = Box::leak(Box::new(rustls_native_certs::load_native_certs().expect("could not load platform certs"))); let root_cert_store: &mut Box> = Box::leak(Box::default()); @@ -29,7 +29,7 @@ lazy_static::lazy_static! { root_cert_store.push(ta); } } - TlsServerTrustAnchors(root_cert_store) + root_cert_store }; } @@ -38,7 +38,6 @@ pub fn root_cert_store() -> rustls::RootCertStore { let mut root_cert_store = RootCertStore::empty(); root_cert_store.add_trust_anchors( TLS_SERVER_ROOTS - .0 .iter() .map(|ta| OwnedTrustAnchor::from_subject_spki_name_constraints(ta.subject, ta.spki, ta.name_constraints)), ); diff --git a/src/verify.rs b/src/verify.rs index 5dedebe..f404750 100644 --- a/src/verify.rs +++ b/src/verify.rs @@ -10,7 +10,7 @@ use rustls::{ Certificate, CertificateError, DistinguishedName, Error, ServerName, }; use std::{convert::TryFrom, time::SystemTime}; -use webpki::DnsName; +use webpki::{DnsName, KeyUsage}; type SignatureAlgorithms = &'static [&'static webpki::SignatureAlgorithm]; @@ -45,7 +45,8 @@ pub fn verify_is_valid_tls_server_cert<'a>(end_entity: &'a Certificate, intermed let (cert, chain) = prepare(end_entity, intermediates)?; let webpki_now = webpki::Time::try_from(now).map_err(|_| Error::FailedToGetCurrentTime)?; - cert.verify_is_valid_tls_server_cert(SUPPORTED_SIG_ALGS, &TLS_SERVER_ROOTS, &chain, webpki_now).map_err(pki_error)?; + cert.verify_for_usage(SUPPORTED_SIG_ALGS, &TLS_SERVER_ROOTS, &chain, webpki_now, KeyUsage::server_auth(), &[]) + .map_err(pki_error)?; Ok(cert) }