From 4aa6d91a99fa46aef6e5f2d8b4e5e4c95156b8c1 Mon Sep 17 00:00:00 2001 From: Dirkjan Ochtman Date: Wed, 31 Aug 2022 11:36:17 +0200 Subject: [PATCH 01/11] Clean up clippy warnings --- src/error.rs | 2 +- src/name/verify.rs | 17 +++++------------ src/time.rs | 2 +- src/verify_cert.rs | 24 +++++++++--------------- tests/dns_name_tests.rs | 18 +++++++++--------- 5 files changed, 25 insertions(+), 38 deletions(-) diff --git a/src/error.rs b/src/error.rs index ae11bbc9..6324bfc9 100644 --- a/src/error.rs +++ b/src/error.rs @@ -15,7 +15,7 @@ use core::fmt; /// An error that occurs during certificate validation or name validation. -#[derive(Clone, Copy, Debug, PartialEq)] +#[derive(Clone, Copy, Debug, PartialEq, Eq)] pub enum Error { /// The encoding of some ASN.1 DER-encoded item is invalid. // TODO: Rename to `BadDer` in the next release. diff --git a/src/name/verify.rs b/src/name/verify.rs index 749a9ea6..30e428ac 100644 --- a/src/name/verify.rs +++ b/src/name/verify.rs @@ -32,19 +32,12 @@ pub fn verify_cert_dns_name( cert.subject_alt_name, Err(Error::CertNotValidForName), &|name| { - match name { - GeneralName::DnsName(presented_id) => { - match dns_name::presented_id_matches_reference_id(presented_id, dns_name) { - Some(true) => { - return NameIteration::Stop(Ok(())); - } - Some(false) => (), - None => { - return NameIteration::Stop(Err(Error::BadDER)); - } - } + if let GeneralName::DnsName(presented_id) = name { + match dns_name::presented_id_matches_reference_id(presented_id, dns_name) { + Some(true) => return NameIteration::Stop(Ok(())), + Some(false) => (), + None => return NameIteration::Stop(Err(Error::BadDER)), } - _ => (), } NameIteration::KeepGoing }, diff --git a/src/time.rs b/src/time.rs index 4fa0daaf..a6c0c206 100644 --- a/src/time.rs +++ b/src/time.rs @@ -19,7 +19,7 @@ /// Internally this is merely a UNIX timestamp: a count of non-leap /// seconds since the start of 1970. This type exists to assist /// unit-of-measure correctness. -#[derive(Debug, Clone, Copy, PartialEq, PartialOrd)] +#[derive(Debug, Clone, Copy, PartialEq, Eq, PartialOrd)] pub struct Time(u64); impl Time { diff --git a/src/verify_cert.rs b/src/verify_cert.rs index 8a6bed91..722ba932 100644 --- a/src/verify_cert.rs +++ b/src/verify_cert.rs @@ -53,7 +53,7 @@ pub fn build_chain( // TODO: revocation. - match loop_while_non_fatal_error(trust_anchors, |trust_anchor: &TrustAnchor| { + let result = loop_while_non_fatal_error(trust_anchors, |trust_anchor: &TrustAnchor| { let trust_anchor_subject = untrusted::Input::from(trust_anchor.subject); if cert.issuer != trust_anchor_subject { return Err(Error::UnknownIssuer); @@ -72,13 +72,11 @@ pub fn build_chain( check_signatures(supported_sig_algs, cert, trust_anchor_spki)?; Ok(()) - }) { - Ok(()) => { - return Ok(()); - } - Err(..) => { - // If the error is not fatal, then keep going. - } + }); + + // If the error is not fatal, then keep going. + if result.is_ok() { + return Ok(()); } loop_while_non_fatal_error(intermediate_certs, |cert_der| { @@ -339,13 +337,9 @@ where V: IntoIterator, { for v in values { - match f(v) { - Ok(()) => { - return Ok(()); - } - Err(..) => { - // If the error is not fatal, then keep going. - } + // If the error is not fatal, then keep going. + if f(v).is_ok() { + return Ok(()); } } Err(Error::UnknownIssuer) diff --git a/tests/dns_name_tests.rs b/tests/dns_name_tests.rs index b3a3adc4..7c916ed9 100644 --- a/tests/dns_name_tests.rs +++ b/tests/dns_name_tests.rs @@ -249,10 +249,10 @@ static IP_ADDRESS_DNS_VALIDITY: &[(&[u8], bool)] = &[ (b"\n1.2.3.4", false), (b"1.2.3.4\n", false), // Nulls not allowed - (b"\0", false), - (b"\01.2.3.4", false), - (b"1.2.3.4\0", false), - (b"1.2.3.4\0.5", false), + (b"\x00", false), + (b"\x001.2.3.4", false), + (b"1.2.3.4\x00", false), + (b"1.2.3.4\x00.5", false), // Range (b"0.0.0.0", false), (b"255.255.255.255", false), @@ -385,11 +385,11 @@ static IP_ADDRESS_DNS_VALIDITY: &[(&[u8], bool)] = &[ (b"1234::252.253.254.255\n", false), (b"1234::252.253. 254.255", false), // Nulls - (b"\0", false), - (b"::1\0:2", false), - (b"::1\0", false), - (b"::1.2.3.4\0", false), - (b"::1.2\02.3.4", false), + (b"\x00", false), + (b"::1\x00:2", false), + (b"::1\x00", false), + (b"::1.2.3.4\x00", false), + (b"::1.2\x002.3.4", false), ]; #[test] From 96dfa4c74ee2598452c726b2bc1541c6e698ac72 Mon Sep 17 00:00:00 2001 From: Dirkjan Ochtman Date: Wed, 31 Aug 2022 11:37:32 +0200 Subject: [PATCH 02/11] Change Cargo metadata for fork --- Cargo.toml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index 4be84684..ef4fad2d 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -16,12 +16,11 @@ authors = ["Brian Smith "] categories = ["cryptography", "no-std"] description = "Web PKI X.509 Certificate Verification." -documentation = "https://briansmith.org/rustdoc/webpki/" edition = "2018" license-file = "LICENSE" -name = "webpki" +name = "rustls-webpki" readme = "README.md" -repository = "https://github.com/briansmith/webpki" +repository = "https://github.com/rustls/webpki" version = "0.21.4" include = [ From 832fa57fbe73e7ebe6b00d09b0bf9b7bd038143c Mon Sep 17 00:00:00 2001 From: Dirkjan Ochtman Date: Wed, 31 Aug 2022 11:38:46 +0200 Subject: [PATCH 03/11] Remove authors from Cargo metadata per RFC 3052 --- Cargo.toml | 1 - 1 file changed, 1 deletion(-) diff --git a/Cargo.toml b/Cargo.toml index ef4fad2d..cd6c730f 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -13,7 +13,6 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. [package] -authors = ["Brian Smith "] categories = ["cryptography", "no-std"] description = "Web PKI X.509 Certificate Verification." edition = "2018" From 806d0371967eaf2766da1680156e26cc84c13d50 Mon Sep 17 00:00:00 2001 From: Dirkjan Ochtman Date: Wed, 31 Aug 2022 11:43:35 +0200 Subject: [PATCH 04/11] Bump version for now --- Cargo.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Cargo.toml b/Cargo.toml index cd6c730f..0d88e613 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -20,7 +20,7 @@ license-file = "LICENSE" name = "rustls-webpki" readme = "README.md" repository = "https://github.com/rustls/webpki" -version = "0.21.4" +version = "0.22.0-alpha.1" include = [ "Cargo.toml", From ef0c3d388dade898b21af7999e3386a6ae3ea8d2 Mon Sep 17 00:00:00 2001 From: Dirkjan Ochtman Date: Wed, 31 Aug 2022 11:44:16 +0200 Subject: [PATCH 05/11] Upgrade to Ubuntu 20.04 since 18.04 is deprecated --- .github/workflows/ci.yml | 20 ++++++++++---------- mk/install-build-tools.sh | 2 +- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1f925788..7cdedcf1 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -6,7 +6,7 @@ on: push: jobs: rustfmt: - runs-on: ubuntu-18.04 + runs-on: ubuntu-20.04 steps: - uses: briansmith/actions-rs-toolchain@v1 @@ -20,7 +20,7 @@ jobs: - run: cargo fmt --all -- --check clippy: - runs-on: ubuntu-18.04 + runs-on: ubuntu-20.04 steps: - uses: briansmith/actions-rs-toolchain@v1 @@ -36,7 +36,7 @@ jobs: - run: mk/clippy.sh audit: - runs-on: ubuntu-18.04 + runs-on: ubuntu-20.04 steps: - uses: briansmith/actions-rs-toolchain@v1 @@ -63,7 +63,7 @@ jobs: - run: cargo audit --deny warnings deny: - runs-on: ubuntu-18.04 + runs-on: ubuntu-20.04 steps: - uses: briansmith/actions-rs-toolchain@v1 @@ -89,7 +89,7 @@ jobs: # Verify that documentation builds. rustdoc: - runs-on: ubuntu-18.04 + runs-on: ubuntu-20.04 strategy: matrix: @@ -116,7 +116,7 @@ jobs: cargo doc --all-features package: - runs-on: ubuntu-18.04 + runs-on: ubuntu-20.04 steps: - uses: briansmith/actions-rs-toolchain@v1 @@ -172,16 +172,16 @@ jobs: include: - target: arm-unknown-linux-gnueabihf - host_os: ubuntu-18.04 + host_os: ubuntu-20.04 - target: i686-pc-windows-msvc host_os: windows-latest - target: x86_64-unknown-linux-musl - host_os: ubuntu-18.04 + host_os: ubuntu-20.04 - target: x86_64-unknown-linux-gnu - host_os: ubuntu-18.04 + host_os: ubuntu-20.04 steps: - if: ${{ contains(matrix.host_os, 'ubuntu') }} @@ -233,7 +233,7 @@ jobs: # TODO: targets include: - target: x86_64-unknown-linux-musl - host_os: ubuntu-18.04 + host_os: ubuntu-20.04 steps: - if: ${{ contains(matrix.host_os, 'ubuntu') }} diff --git a/mk/install-build-tools.sh b/mk/install-build-tools.sh index db50246e..0f825646 100755 --- a/mk/install-build-tools.sh +++ b/mk/install-build-tools.sh @@ -86,7 +86,7 @@ if [ -n "$use_clang" ]; then # format to one that only LLVM 11+ can use llvm_version=12 sudo apt-key add mk/llvm-snapshot.gpg.key - sudo add-apt-repository "deb http://apt.llvm.org/bionic/ llvm-toolchain-bionic-$llvm_version main" + sudo add-apt-repository "deb http://apt.llvm.org/focal/ llvm-toolchain-focal-$llvm_version main" sudo apt-get update install_packages clang-$llvm_version llvm-$llvm_version fi From 523901ba801cb756be20e32992e4c828ffd8f184 Mon Sep 17 00:00:00 2001 From: Dirkjan Ochtman Date: Wed, 31 Aug 2022 14:35:51 +0200 Subject: [PATCH 06/11] Upgrade to LLVM 15 to match nightly Rust --- mk/cargo.sh | 2 +- mk/install-build-tools.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/mk/cargo.sh b/mk/cargo.sh index 85a1cbc3..55064850 100755 --- a/mk/cargo.sh +++ b/mk/cargo.sh @@ -39,7 +39,7 @@ for arg in $*; do done # See comments in install-build-tools.sh. -llvm_version=12 +llvm_version=15 case $target in aarch64-linux-android) diff --git a/mk/install-build-tools.sh b/mk/install-build-tools.sh index 0f825646..efd04bd3 100755 --- a/mk/install-build-tools.sh +++ b/mk/install-build-tools.sh @@ -84,7 +84,7 @@ esac if [ -n "$use_clang" ]; then # https://github.com/rust-lang/rust/pull/79365 upgraded the coverage file # format to one that only LLVM 11+ can use - llvm_version=12 + llvm_version=15 sudo apt-key add mk/llvm-snapshot.gpg.key sudo add-apt-repository "deb http://apt.llvm.org/focal/ llvm-toolchain-focal-$llvm_version main" sudo apt-get update From 5d3c636c6d4c01b002299a0ab50e533459e3f87c Mon Sep 17 00:00:00 2001 From: Dirkjan Ochtman Date: Wed, 31 Aug 2022 11:45:29 +0200 Subject: [PATCH 07/11] Switch back to canonical actions --- .github/workflows/ci.yml | 38 +++++++++++++++++++------------------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7cdedcf1..ceabb5f8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -9,12 +9,12 @@ jobs: runs-on: ubuntu-20.04 steps: - - uses: briansmith/actions-rs-toolchain@v1 + - uses: actions-rs/toolchain@v1 with: toolchain: stable profile: minimal components: rustfmt - - uses: briansmith/actions-checkout@v2 + - uses: actions/checkout@v2 with: persist-credentials: false - run: cargo fmt --all -- --check @@ -23,13 +23,13 @@ jobs: runs-on: ubuntu-20.04 steps: - - uses: briansmith/actions-rs-toolchain@v1 + - uses: actions-rs/toolchain@v1 with: toolchain: stable profile: minimal components: clippy - - uses: briansmith/actions-checkout@v2 + - uses: actions/checkout@v2 with: persist-credentials: false @@ -39,12 +39,12 @@ jobs: runs-on: ubuntu-20.04 steps: - - uses: briansmith/actions-rs-toolchain@v1 + - uses: actions-rs/toolchain@v1 with: toolchain: stable profile: minimal - - uses: briansmith/actions-cache@v2 + - uses: actions/cache@v2 with: path: | ~/.cargo/bin/cargo-audit @@ -54,7 +54,7 @@ jobs: - run: cargo install cargo-audit --vers "0.13.1" - - uses: briansmith/actions-checkout@v2 + - uses: actions/checkout@v2 with: persist-credentials: false @@ -66,12 +66,12 @@ jobs: runs-on: ubuntu-20.04 steps: - - uses: briansmith/actions-rs-toolchain@v1 + - uses: actions-rs/toolchain@v1 with: toolchain: stable profile: minimal - - uses: briansmith/actions-cache@v2 + - uses: actions/cache@v2 with: path: | ~/.cargo/bin/cargo-deny @@ -81,7 +81,7 @@ jobs: - run: cargo install cargo-deny --locked --vers "0.8.5" - - uses: briansmith/actions-checkout@v2 + - uses: actions/checkout@v2 with: persist-credentials: false @@ -102,13 +102,13 @@ jobs: - target: x86_64-unknown-linux-gnu steps: - - uses: briansmith/actions-rs-toolchain@v1 + - uses: actions-rs/toolchain@v1 with: override: true target: ${{ matrix.target }} toolchain: ${{ matrix.rust_channel }} - - uses: briansmith/actions-checkout@v2 + - uses: actions/checkout@v2 with: persist-credentials: false @@ -119,12 +119,12 @@ jobs: runs-on: ubuntu-20.04 steps: - - uses: briansmith/actions-rs-toolchain@v1 + - uses: actions-rs/toolchain@v1 with: toolchain: stable profile: minimal - - uses: briansmith/actions-checkout@v2 + - uses: actions/checkout@v2 with: persist-credentials: false @@ -187,14 +187,14 @@ jobs: - if: ${{ contains(matrix.host_os, 'ubuntu') }} run: sudo apt-get update -y - - uses: briansmith/actions-checkout@v2 + - uses: actions/checkout@v2 with: persist-credentials: false - if: ${{ !contains(matrix.host_os, 'windows') }} run: mk/install-build-tools.sh --target=${{ matrix.target }} ${{ matrix.features }} - - uses: briansmith/actions-rs-toolchain@v1 + - uses: actions-rs/toolchain@v1 with: override: true target: ${{ matrix.target }} @@ -239,14 +239,14 @@ jobs: - if: ${{ contains(matrix.host_os, 'ubuntu') }} run: sudo apt-get update -y - - uses: briansmith/actions-checkout@v2 + - uses: actions/checkout@v2 with: persist-credentials: false - if: ${{ !contains(matrix.host_os, 'windows') }} run: RING_COVERAGE=1 mk/install-build-tools.sh --target=${{ matrix.target }} ${{ matrix.features }} - - uses: briansmith/actions-rs-toolchain@v1 + - uses: actions-rs/toolchain@v1 with: override: true target: ${{ matrix.target }} @@ -259,7 +259,7 @@ jobs: run: | RING_COVERAGE=1 mk/cargo.sh +${{ matrix.rust_channel }} test -vv --target=${{ matrix.target }} ${{ matrix.cargo_options }} ${{ matrix.features }} ${{ matrix.mode }} - - uses: briansmith/codecov-codecov-action@v1 + - uses: codecov/codecov-action@v1 with: directory: ./target/${{ matrix.target }}/debug/coverage/reports fail_ci_if_error: true From bce4e84c4ea144b78e12710550c483b37a53e909 Mon Sep 17 00:00:00 2001 From: Dirkjan Ochtman Date: Wed, 31 Aug 2022 12:00:49 +0200 Subject: [PATCH 08/11] Remove extra dash in clippy invocation --- mk/clippy.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mk/clippy.sh b/mk/clippy.sh index b3131735..f410dd4c 100755 --- a/mk/clippy.sh +++ b/mk/clippy.sh @@ -20,7 +20,7 @@ IFS=$'\n\t' export NULL="" cargo clippy \ --target-dir=target/clippy \ - --all-features ---all-targets \ + --all-features --all-targets \ -- \ --deny missing_docs \ --deny warnings \ From 83cd8e80e2f82247510b1400f6088847785aab12 Mon Sep 17 00:00:00 2001 From: Dirkjan Ochtman Date: Wed, 31 Aug 2022 13:38:25 +0200 Subject: [PATCH 09/11] Allow Unicode-DFS-2016 license and update crate name https://spdx.org/licenses/Unicode-DFS-2016.html --- deny.toml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/deny.toml b/deny.toml index d5ab300c..394a1771 100644 --- a/deny.toml +++ b/deny.toml @@ -10,6 +10,7 @@ allow = [ "LicenseRef-ring", "LicenseRef-webpki", "MIT", + "Unicode-DFS-2016", ] confidence-threshold = 1.0 @@ -23,7 +24,7 @@ license-files = [ # XXX: Figure out how to deal with the Google-source test data # https://github.com/briansmith/webpki/issues/148. [[licenses.clarify]] -name = "webpki" +name = "rustls-webpki" expression = "LicenseRef-webpki" license-files = [ { path = "LICENSE", hash = 0x001c7e6c }, From 57b738d9517cdb366afdd7f1ea516381350bda1a Mon Sep 17 00:00:00 2001 From: Dirkjan Ochtman Date: Wed, 31 Aug 2022 11:58:56 +0200 Subject: [PATCH 10/11] Reduce test matrix --- .github/workflows/ci.yml | 50 ++++++++++++++++++++++++++++++++++++++-- 1 file changed, 48 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ceabb5f8..daa98460 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -166,11 +166,57 @@ jobs: - beta exclude: - # 1.46.0 doesn't support `-Clink-self-contained`. - - target: x86_64-unknown-linux-musl + - features: # Default + - features: --features=alloc + - features: --all-features + mode: --release + - features: --all-features + mode: # debug + rust_channel: nightly + - features: --all-features + mode: # debug rust_channel: 1.46.0 + - features: --all-features + mode: # debug + rust_channel: beta include: + - features: # Default + target: x86_64-unknown-linux-gnu + mode: # debug + rust_channel: stable + host_os: ubuntu-20.04 + + - features: --features=alloc + target: x86_64-unknown-linux-gnu + mode: # debug + rust_channel: stable + host_os: ubuntu-20.04 + + - features: --all-features + target: x86_64-unknown-linux-gnu + mode: --release + rust_channel: stable + host_os: ubuntu-20.04 + + - features: --all-features + target: x86_64-unknown-linux-gnu + mode: # debug + rust_channel: nightly + host_os: ubuntu-20.04 + + - features: --all-features + target: x86_64-unknown-linux-gnu + mode: # debug + rust_channel: 1.46.0 + host_os: ubuntu-20.04 + + - features: --all-features + target: x86_64-unknown-linux-gnu + mode: # debug + rust_channel: beta + host_os: ubuntu-20.04 + - target: arm-unknown-linux-gnueabihf host_os: ubuntu-20.04 From 7c4467bcab4acbeeb6292ab3531ccfa15e347a97 Mon Sep 17 00:00:00 2001 From: Dirkjan Ochtman Date: Wed, 31 Aug 2022 14:33:21 +0200 Subject: [PATCH 11/11] Remove audit job (included in deny) --- .github/workflows/ci.yml | 27 --------------------------- 1 file changed, 27 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index daa98460..a7fcb060 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -35,33 +35,6 @@ jobs: - run: mk/clippy.sh - audit: - runs-on: ubuntu-20.04 - - steps: - - uses: actions-rs/toolchain@v1 - with: - toolchain: stable - profile: minimal - - - uses: actions/cache@v2 - with: - path: | - ~/.cargo/bin/cargo-audit - ~/.cargo/.crates.toml - ~/.cargo/.crates2.json - key: ${{ runner.os }}-v2-cargo-audit-0.13.1 - - - run: cargo install cargo-audit --vers "0.13.1" - - - uses: actions/checkout@v2 - with: - persist-credentials: false - - - run: cargo generate-lockfile - - - run: cargo audit --deny warnings - deny: runs-on: ubuntu-20.04