Upgrade webpki

Cargo.lock

@@ -1200,7 +1200,7 @@ checksum = "1d1feddffcfcc0b33f5c6ce9a29e341e4cd59c3f78e7ee45f4a40c038b1d6cbb"
 dependencies = [
  "log",
  "ring",
- "rustls-webpki 0.101.3",
+ "rustls-webpki",
  "sct",
 ]
 
@@ -1225,16 +1225,6 @@ dependencies = [
  "base64",
 ]
 
-[[package]]
-name = "rustls-webpki"
-version = "0.100.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d6207cd5ed3d8dca7816f8f3725513a34609c0c765bf652b8c3cb4cfd87db46b"
-dependencies = [
- "ring",
- "untrusted",
-]
-
 [[package]]
 name = "rustls-webpki"
 version = "0.101.3"
@@ -2088,7 +2078,7 @@ dependencies = [
  "rustls",
  "rustls-native-certs",
  "rustls-pemfile",
- "rustls-webpki 0.100.1",
+ "rustls-webpki",
  "serde",
  "serde_derive",
  "serde_json",

Cargo.toml

@@ -45,7 +45,7 @@ env_logger = { version = "0.10", optional = true, features = [] }
 
 # incoming deps
 tokio-rustls = { version = "0.24", optional = true }
-webpki = { package = "rustls-webpki", version = "0.100", optional = true }
+webpki = { package = "rustls-webpki", version = "0.101", optional = true }
 
 # outgoing deps
 lazy_static = "1.4"

src/common/ca_roots.rs

@@ -1,9 +1,9 @@
 #[cfg(feature = "webpki")]
-use webpki::{TlsServerTrustAnchors, TrustAnchor};
+use webpki::TrustAnchor;
 
 #[cfg(all(feature = "webpki-roots", not(feature = "rustls-native-certs")))]
 lazy_static::lazy_static! {
-    pub static ref TLS_SERVER_ROOTS: TlsServerTrustAnchors<'static> = {
+    pub static ref TLS_SERVER_ROOTS: &'static [TrustAnchor<'static>] = {
         let root_cert_store: &mut Box<Vec<_>> = Box::leak(Box::default());
         for ta in webpki_roots::TLS_SERVER_ROOTS {
             let ta = TrustAnchor {
@@ -13,13 +13,13 @@ lazy_static::lazy_static! {
             };
             root_cert_store.push(ta);
         }
-        TlsServerTrustAnchors(root_cert_store)
+        root_cert_store
     };
 }
 
 #[cfg(all(feature = "rustls-native-certs", not(feature = "webpki-roots")))]
 lazy_static::lazy_static! {
-    pub static ref TLS_SERVER_ROOTS: TlsServerTrustAnchors<'static> = {
+    pub static ref TLS_SERVER_ROOTS: &'static [TrustAnchor<'static>] = {
         // we need these to stick around for 'static, this is only called once so no problem
         let certs = Box::leak(Box::new(rustls_native_certs::load_native_certs().expect("could not load platform certs")));
         let root_cert_store: &mut Box<Vec<_>> = Box::leak(Box::default());
@@ -29,7 +29,7 @@ lazy_static::lazy_static! {
                 root_cert_store.push(ta);
             }
         }
-        TlsServerTrustAnchors(root_cert_store)
+        root_cert_store
     };
 }
 
@@ -38,7 +38,6 @@ pub fn root_cert_store() -> rustls::RootCertStore {
     let mut root_cert_store = RootCertStore::empty();
     root_cert_store.add_trust_anchors(
         TLS_SERVER_ROOTS
-            .0
             .iter()
             .map(|ta| OwnedTrustAnchor::from_subject_spki_name_constraints(ta.subject, ta.spki, ta.name_constraints)),
     );

src/verify.rs

@@ -10,7 +10,7 @@ use rustls::{
     Certificate, CertificateError, DistinguishedName, Error, ServerName,
 };
 use std::{convert::TryFrom, time::SystemTime};
-use webpki::DnsName;
+use webpki::{DnsName, KeyUsage};
 
 type SignatureAlgorithms = &'static [&'static webpki::SignatureAlgorithm];
 
@@ -45,7 +45,8 @@ pub fn verify_is_valid_tls_server_cert<'a>(end_entity: &'a Certificate, intermed
     let (cert, chain) = prepare(end_entity, intermediates)?;
     let webpki_now = webpki::Time::try_from(now).map_err(|_| Error::FailedToGetCurrentTime)?;
 
-    cert.verify_is_valid_tls_server_cert(SUPPORTED_SIG_ALGS, &TLS_SERVER_ROOTS, &chain, webpki_now).map_err(pki_error)?;
+    cert.verify_for_usage(SUPPORTED_SIG_ALGS, &TLS_SERVER_ROOTS, &chain, webpki_now, KeyUsage::server_auth(), &[])
+        .map_err(pki_error)?;
 
     Ok(cert)
 }