diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1f925788..a7fcb060 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -6,72 +6,45 @@ on: push: jobs: rustfmt: - runs-on: ubuntu-18.04 + runs-on: ubuntu-20.04 steps: - - uses: briansmith/actions-rs-toolchain@v1 + - uses: actions-rs/toolchain@v1 with: toolchain: stable profile: minimal components: rustfmt - - uses: briansmith/actions-checkout@v2 + - uses: actions/checkout@v2 with: persist-credentials: false - run: cargo fmt --all -- --check clippy: - runs-on: ubuntu-18.04 + runs-on: ubuntu-20.04 steps: - - uses: briansmith/actions-rs-toolchain@v1 + - uses: actions-rs/toolchain@v1 with: toolchain: stable profile: minimal components: clippy - - uses: briansmith/actions-checkout@v2 + - uses: actions/checkout@v2 with: persist-credentials: false - run: mk/clippy.sh - audit: - runs-on: ubuntu-18.04 - - steps: - - uses: briansmith/actions-rs-toolchain@v1 - with: - toolchain: stable - profile: minimal - - - uses: briansmith/actions-cache@v2 - with: - path: | - ~/.cargo/bin/cargo-audit - ~/.cargo/.crates.toml - ~/.cargo/.crates2.json - key: ${{ runner.os }}-v2-cargo-audit-0.13.1 - - - run: cargo install cargo-audit --vers "0.13.1" - - - uses: briansmith/actions-checkout@v2 - with: - persist-credentials: false - - - run: cargo generate-lockfile - - - run: cargo audit --deny warnings - deny: - runs-on: ubuntu-18.04 + runs-on: ubuntu-20.04 steps: - - uses: briansmith/actions-rs-toolchain@v1 + - uses: actions-rs/toolchain@v1 with: toolchain: stable profile: minimal - - uses: briansmith/actions-cache@v2 + - uses: actions/cache@v2 with: path: | ~/.cargo/bin/cargo-deny @@ -81,7 +54,7 @@ jobs: - run: cargo install cargo-deny --locked --vers "0.8.5" - - uses: briansmith/actions-checkout@v2 + - uses: actions/checkout@v2 with: persist-credentials: false @@ -89,7 +62,7 @@ jobs: # Verify that documentation builds. rustdoc: - runs-on: ubuntu-18.04 + runs-on: ubuntu-20.04 strategy: matrix: @@ -102,13 +75,13 @@ jobs: - target: x86_64-unknown-linux-gnu steps: - - uses: briansmith/actions-rs-toolchain@v1 + - uses: actions-rs/toolchain@v1 with: override: true target: ${{ matrix.target }} toolchain: ${{ matrix.rust_channel }} - - uses: briansmith/actions-checkout@v2 + - uses: actions/checkout@v2 with: persist-credentials: false @@ -116,15 +89,15 @@ jobs: cargo doc --all-features package: - runs-on: ubuntu-18.04 + runs-on: ubuntu-20.04 steps: - - uses: briansmith/actions-rs-toolchain@v1 + - uses: actions-rs/toolchain@v1 with: toolchain: stable profile: minimal - - uses: briansmith/actions-checkout@v2 + - uses: actions/checkout@v2 with: persist-credentials: false @@ -166,35 +139,81 @@ jobs: - beta exclude: - # 1.46.0 doesn't support `-Clink-self-contained`. - - target: x86_64-unknown-linux-musl + - features: # Default + - features: --features=alloc + - features: --all-features + mode: --release + - features: --all-features + mode: # debug + rust_channel: nightly + - features: --all-features + mode: # debug rust_channel: 1.46.0 + - features: --all-features + mode: # debug + rust_channel: beta include: + - features: # Default + target: x86_64-unknown-linux-gnu + mode: # debug + rust_channel: stable + host_os: ubuntu-20.04 + + - features: --features=alloc + target: x86_64-unknown-linux-gnu + mode: # debug + rust_channel: stable + host_os: ubuntu-20.04 + + - features: --all-features + target: x86_64-unknown-linux-gnu + mode: --release + rust_channel: stable + host_os: ubuntu-20.04 + + - features: --all-features + target: x86_64-unknown-linux-gnu + mode: # debug + rust_channel: nightly + host_os: ubuntu-20.04 + + - features: --all-features + target: x86_64-unknown-linux-gnu + mode: # debug + rust_channel: 1.46.0 + host_os: ubuntu-20.04 + + - features: --all-features + target: x86_64-unknown-linux-gnu + mode: # debug + rust_channel: beta + host_os: ubuntu-20.04 + - target: arm-unknown-linux-gnueabihf - host_os: ubuntu-18.04 + host_os: ubuntu-20.04 - target: i686-pc-windows-msvc host_os: windows-latest - target: x86_64-unknown-linux-musl - host_os: ubuntu-18.04 + host_os: ubuntu-20.04 - target: x86_64-unknown-linux-gnu - host_os: ubuntu-18.04 + host_os: ubuntu-20.04 steps: - if: ${{ contains(matrix.host_os, 'ubuntu') }} run: sudo apt-get update -y - - uses: briansmith/actions-checkout@v2 + - uses: actions/checkout@v2 with: persist-credentials: false - if: ${{ !contains(matrix.host_os, 'windows') }} run: mk/install-build-tools.sh --target=${{ matrix.target }} ${{ matrix.features }} - - uses: briansmith/actions-rs-toolchain@v1 + - uses: actions-rs/toolchain@v1 with: override: true target: ${{ matrix.target }} @@ -233,20 +252,20 @@ jobs: # TODO: targets include: - target: x86_64-unknown-linux-musl - host_os: ubuntu-18.04 + host_os: ubuntu-20.04 steps: - if: ${{ contains(matrix.host_os, 'ubuntu') }} run: sudo apt-get update -y - - uses: briansmith/actions-checkout@v2 + - uses: actions/checkout@v2 with: persist-credentials: false - if: ${{ !contains(matrix.host_os, 'windows') }} run: RING_COVERAGE=1 mk/install-build-tools.sh --target=${{ matrix.target }} ${{ matrix.features }} - - uses: briansmith/actions-rs-toolchain@v1 + - uses: actions-rs/toolchain@v1 with: override: true target: ${{ matrix.target }} @@ -259,7 +278,7 @@ jobs: run: | RING_COVERAGE=1 mk/cargo.sh +${{ matrix.rust_channel }} test -vv --target=${{ matrix.target }} ${{ matrix.cargo_options }} ${{ matrix.features }} ${{ matrix.mode }} - - uses: briansmith/codecov-codecov-action@v1 + - uses: codecov/codecov-action@v1 with: directory: ./target/${{ matrix.target }}/debug/coverage/reports fail_ci_if_error: true diff --git a/Cargo.toml b/Cargo.toml index 4be84684..0d88e613 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -13,16 +13,14 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. [package] -authors = ["Brian Smith "] categories = ["cryptography", "no-std"] description = "Web PKI X.509 Certificate Verification." -documentation = "https://briansmith.org/rustdoc/webpki/" edition = "2018" license-file = "LICENSE" -name = "webpki" +name = "rustls-webpki" readme = "README.md" -repository = "https://github.com/briansmith/webpki" -version = "0.21.4" +repository = "https://github.com/rustls/webpki" +version = "0.22.0-alpha.1" include = [ "Cargo.toml", diff --git a/deny.toml b/deny.toml index d5ab300c..394a1771 100644 --- a/deny.toml +++ b/deny.toml @@ -10,6 +10,7 @@ allow = [ "LicenseRef-ring", "LicenseRef-webpki", "MIT", + "Unicode-DFS-2016", ] confidence-threshold = 1.0 @@ -23,7 +24,7 @@ license-files = [ # XXX: Figure out how to deal with the Google-source test data # https://github.com/briansmith/webpki/issues/148. [[licenses.clarify]] -name = "webpki" +name = "rustls-webpki" expression = "LicenseRef-webpki" license-files = [ { path = "LICENSE", hash = 0x001c7e6c }, diff --git a/mk/cargo.sh b/mk/cargo.sh index 85a1cbc3..55064850 100755 --- a/mk/cargo.sh +++ b/mk/cargo.sh @@ -39,7 +39,7 @@ for arg in $*; do done # See comments in install-build-tools.sh. -llvm_version=12 +llvm_version=15 case $target in aarch64-linux-android) diff --git a/mk/clippy.sh b/mk/clippy.sh index b3131735..f410dd4c 100755 --- a/mk/clippy.sh +++ b/mk/clippy.sh @@ -20,7 +20,7 @@ IFS=$'\n\t' export NULL="" cargo clippy \ --target-dir=target/clippy \ - --all-features ---all-targets \ + --all-features --all-targets \ -- \ --deny missing_docs \ --deny warnings \ diff --git a/mk/install-build-tools.sh b/mk/install-build-tools.sh index db50246e..efd04bd3 100755 --- a/mk/install-build-tools.sh +++ b/mk/install-build-tools.sh @@ -84,9 +84,9 @@ esac if [ -n "$use_clang" ]; then # https://github.com/rust-lang/rust/pull/79365 upgraded the coverage file # format to one that only LLVM 11+ can use - llvm_version=12 + llvm_version=15 sudo apt-key add mk/llvm-snapshot.gpg.key - sudo add-apt-repository "deb http://apt.llvm.org/bionic/ llvm-toolchain-bionic-$llvm_version main" + sudo add-apt-repository "deb http://apt.llvm.org/focal/ llvm-toolchain-focal-$llvm_version main" sudo apt-get update install_packages clang-$llvm_version llvm-$llvm_version fi diff --git a/src/error.rs b/src/error.rs index ae11bbc9..6324bfc9 100644 --- a/src/error.rs +++ b/src/error.rs @@ -15,7 +15,7 @@ use core::fmt; /// An error that occurs during certificate validation or name validation. -#[derive(Clone, Copy, Debug, PartialEq)] +#[derive(Clone, Copy, Debug, PartialEq, Eq)] pub enum Error { /// The encoding of some ASN.1 DER-encoded item is invalid. // TODO: Rename to `BadDer` in the next release. diff --git a/src/name/verify.rs b/src/name/verify.rs index 749a9ea6..30e428ac 100644 --- a/src/name/verify.rs +++ b/src/name/verify.rs @@ -32,19 +32,12 @@ pub fn verify_cert_dns_name( cert.subject_alt_name, Err(Error::CertNotValidForName), &|name| { - match name { - GeneralName::DnsName(presented_id) => { - match dns_name::presented_id_matches_reference_id(presented_id, dns_name) { - Some(true) => { - return NameIteration::Stop(Ok(())); - } - Some(false) => (), - None => { - return NameIteration::Stop(Err(Error::BadDER)); - } - } + if let GeneralName::DnsName(presented_id) = name { + match dns_name::presented_id_matches_reference_id(presented_id, dns_name) { + Some(true) => return NameIteration::Stop(Ok(())), + Some(false) => (), + None => return NameIteration::Stop(Err(Error::BadDER)), } - _ => (), } NameIteration::KeepGoing }, diff --git a/src/time.rs b/src/time.rs index 4fa0daaf..a6c0c206 100644 --- a/src/time.rs +++ b/src/time.rs @@ -19,7 +19,7 @@ /// Internally this is merely a UNIX timestamp: a count of non-leap /// seconds since the start of 1970. This type exists to assist /// unit-of-measure correctness. -#[derive(Debug, Clone, Copy, PartialEq, PartialOrd)] +#[derive(Debug, Clone, Copy, PartialEq, Eq, PartialOrd)] pub struct Time(u64); impl Time { diff --git a/src/verify_cert.rs b/src/verify_cert.rs index 8a6bed91..722ba932 100644 --- a/src/verify_cert.rs +++ b/src/verify_cert.rs @@ -53,7 +53,7 @@ pub fn build_chain( // TODO: revocation. - match loop_while_non_fatal_error(trust_anchors, |trust_anchor: &TrustAnchor| { + let result = loop_while_non_fatal_error(trust_anchors, |trust_anchor: &TrustAnchor| { let trust_anchor_subject = untrusted::Input::from(trust_anchor.subject); if cert.issuer != trust_anchor_subject { return Err(Error::UnknownIssuer); @@ -72,13 +72,11 @@ pub fn build_chain( check_signatures(supported_sig_algs, cert, trust_anchor_spki)?; Ok(()) - }) { - Ok(()) => { - return Ok(()); - } - Err(..) => { - // If the error is not fatal, then keep going. - } + }); + + // If the error is not fatal, then keep going. + if result.is_ok() { + return Ok(()); } loop_while_non_fatal_error(intermediate_certs, |cert_der| { @@ -339,13 +337,9 @@ where V: IntoIterator, { for v in values { - match f(v) { - Ok(()) => { - return Ok(()); - } - Err(..) => { - // If the error is not fatal, then keep going. - } + // If the error is not fatal, then keep going. + if f(v).is_ok() { + return Ok(()); } } Err(Error::UnknownIssuer) diff --git a/tests/dns_name_tests.rs b/tests/dns_name_tests.rs index b3a3adc4..7c916ed9 100644 --- a/tests/dns_name_tests.rs +++ b/tests/dns_name_tests.rs @@ -249,10 +249,10 @@ static IP_ADDRESS_DNS_VALIDITY: &[(&[u8], bool)] = &[ (b"\n1.2.3.4", false), (b"1.2.3.4\n", false), // Nulls not allowed - (b"\0", false), - (b"\01.2.3.4", false), - (b"1.2.3.4\0", false), - (b"1.2.3.4\0.5", false), + (b"\x00", false), + (b"\x001.2.3.4", false), + (b"1.2.3.4\x00", false), + (b"1.2.3.4\x00.5", false), // Range (b"0.0.0.0", false), (b"255.255.255.255", false), @@ -385,11 +385,11 @@ static IP_ADDRESS_DNS_VALIDITY: &[(&[u8], bool)] = &[ (b"1234::252.253.254.255\n", false), (b"1234::252.253. 254.255", false), // Nulls - (b"\0", false), - (b"::1\0:2", false), - (b"::1\0", false), - (b"::1.2.3.4\0", false), - (b"::1.2\02.3.4", false), + (b"\x00", false), + (b"::1\x00:2", false), + (b"::1\x00", false), + (b"::1.2.3.4\x00", false), + (b"::1.2\x002.3.4", false), ]; #[test]