diff --git a/src/rust/cryptography-x509-verification/src/policy/extension.rs b/src/rust/cryptography-x509-verification/src/policy/extension.rs index df53c50507a5d..0bfd0ce6e4062 100644 --- a/src/rust/cryptography-x509-verification/src/policy/extension.rs +++ b/src/rust/cryptography-x509-verification/src/policy/extension.rs @@ -14,7 +14,6 @@ use cryptography_x509::{ use crate::{ops::CryptoOps, policy::Policy, ValidationError}; -#[derive(Clone)] pub struct ExtensionPolicy { pub(crate) authority_information_access: ExtensionValidator, pub(crate) authority_key_identifier: ExtensionValidator, @@ -124,7 +123,6 @@ impl ExtensionPolicy { } /// Represents different criticality states for an extension. -#[derive(Clone)] pub(crate) enum Criticality { /// The extension MUST be marked as critical. Critical, @@ -153,7 +151,6 @@ type MaybeExtensionValidatorCallback = fn(&Policy<'_, B>, &Certificate<'_>, Option<&Extension<'_>>) -> Result<(), ValidationError>; /// Represents different validation states for an extension. -#[derive(Clone)] pub(crate) enum ExtensionValidator { /// The extension MUST NOT be present. NotPresent, diff --git a/src/rust/cryptography-x509-verification/src/policy/mod.rs b/src/rust/cryptography-x509-verification/src/policy/mod.rs index a89511fd6d693..5616a83a8cebd 100644 --- a/src/rust/cryptography-x509-verification/src/policy/mod.rs +++ b/src/rust/cryptography-x509-verification/src/policy/mod.rs @@ -25,12 +25,10 @@ use cryptography_x509::oid::{ use once_cell::sync::Lazy; use crate::ops::CryptoOps; -use crate::policy::extension::{ca, common, ee, Criticality, ExtensionValidator}; +use crate::policy::extension::{ca, common, ee, Criticality, ExtensionPolicy, ExtensionValidator}; use crate::types::{DNSName, DNSPattern, IPAddress}; use crate::{ValidationError, VerificationCertificate}; -pub use crate::policy::extension::ExtensionPolicy; - // RSA key constraints, as defined in CA/B 6.1.5. static WEBPKI_MINIMUM_RSA_MODULUS: usize = 2048; diff --git a/src/rust/src/x509/verify.rs b/src/rust/src/x509/verify.rs index 97e04e545f2f2..face9acf674f6 100644 --- a/src/rust/src/x509/verify.rs +++ b/src/rust/src/x509/verify.rs @@ -7,7 +7,7 @@ use cryptography_x509::{ }; use cryptography_x509_verification::{ ops::{CryptoOps, VerificationCertificate}, - policy::{ExtensionPolicy, Policy, Subject}, + policy::{Policy, Subject}, trust_store::Store, types::{DNSName, IPAddress}, }; @@ -22,7 +22,6 @@ use crate::x509::sign; use super::parse_general_names; -#[derive(Clone)] pub(crate) struct PyCryptoOps {} impl CryptoOps for PyCryptoOps { @@ -74,8 +73,6 @@ pub(crate) struct PolicyBuilder { time: Option, store: Option>, max_chain_depth: Option, - ca_ext_policy: Option>, - ee_ext_policy: Option>, } impl PolicyBuilder { @@ -84,8 +81,6 @@ impl PolicyBuilder { time: self.time.clone(), store: self.store.as_ref().map(|s| s.clone_ref(py)), max_chain_depth: self.max_chain_depth, - ca_ext_policy: self.ca_ext_policy.clone(), - ee_ext_policy: self.ee_ext_policy.clone(), } } } @@ -98,8 +93,6 @@ impl PolicyBuilder { time: None, store: None, max_chain_depth: None, - ca_ext_policy: None, - ee_ext_policy: None, } } @@ -311,24 +304,22 @@ impl PyClientVerifier { py_chain.append(c.extra())?; } - // NOTE: The `unwrap()` cannot fail, since the underlying policy - // enforces the well-formedness of the extension set. - let subjects = match &chain[0] + // NOTE: These `unwrap()`s cannot fail, since the underlying policy + // enforces the presence of a SAN and the well-formedness of the + // extension set. + let leaf_san = &chain[0] .certificate() .extensions() .ok() .unwrap() .get_extension(&SUBJECT_ALTERNATIVE_NAME_OID) - { - Some(leaf_san) => { - let leaf_gns = leaf_san.value::>()?; - Some(parse_general_names(py, &leaf_gns)?) - } - None => None, - }; + .unwrap(); + + let leaf_gns = leaf_san.value::>()?; + let py_gns = parse_general_names(py, &leaf_gns)?; Ok(PyVerifiedClient { - subjects, + subjects: Some(py_gns), chain: py_chain.unbind(), }) }