Skip to content

Commit

Permalink
Revert main branch crate contents to the 0.22.0 release contents.
Browse files Browse the repository at this point in the history 
Reset the crate contents (sources, tests, etc.)
to what they were at that commit, while retaining the newer CI
configuration.

The changes since the 0.22.0 release were primarily intended to
accomplish two goals:

* Fix and improve the GitHub Actions configuration.
* Prepare a 0.21.5 release that was backward compatible with 0.21.4
  but which also contained the improvements that were in 0.22.0.

0.21.5 was never released and will not be released. Therefore all
of the noise to facilitate the 0.21.5 release can just be deleted,
as long as we leave the CI changes.

The exact commands I used were:

```
git checkout \
    6c334a2 \
    -- \
    Cargo.toml \
    LICENSE \
    README.md \
    src \
    tests \
    third-party
git rm src/trust_anchor_util.rs
```

Commit 6c334a2 was the commit from
which 0.22.0 was released. It is confusing because the commit
immediately prior, 0b7cbf2, has
commit message "0.22.0". It appears that I merged the "0.22.0"
commit, expecting to `cargo publish` from that commit, but then
`cargo publish` failed. Then I added
6c334a2 to fix `cargo publish`
and did the `cargo publish` from that commit. That's why I added
the CI step, to prevent this confusing situation from happening again.)

`trust_anchor_utils.rs` was not in 0.22.0; the `git checkout` didn't
delete it, so I had to do it separately.

I left the added test files in `tests/` (e.g. `name_tests.rs`) since
those tests pass with the 0.22.0 sources too.

Unfortunately, this requires disabling a bunch of Clippy lints, to
avoid modifying the contents from 0.22.0.

(I know it is confusing. It took me a while to figure it out myself
today.)
  • Loading branch information
@briansmith
briansmith committed Aug 30, 2023
1 parent 8330c72 commit 5befee3
Show file tree
Hide file tree
Showing 18 changed files with 131 additions and 130 deletions.
9 changes: 2 additions & 7 deletions Cargo.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ license-file = "LICENSE"
name = "webpki"
readme = "README.md"
repository = "https://github.com/briansmith/webpki"
version = "0.21.4"
version = "0.22.0"

include = [
"Cargo.toml",
Expand All @@ -42,7 +42,6 @@ include = [
"src/signed_data.rs",
"src/time.rs",
"src/trust_anchor.rs",
"src/trust_anchor_util.rs",
"src/verify_cert.rs",
"src/lib.rs",

Expand All @@ -68,19 +67,15 @@ all-features = true
name = "webpki"

[features]
# TODO: In the next release, make this non-default.
default = ["std"]
alloc = ["ring/alloc"]
std = ["alloc"]
# TODO: In the next release, remove this.
trust_anchor_util = ["std"]

[dependencies]
ring = { version = "0.16.19", default-features = false }
untrusted = "0.7.1"

[dev-dependencies]
base64 = "0.13"
base64 = "0.9.1"

[profile.bench]
opt-level = 3
Expand Down
6 changes: 5 additions & 1 deletion mk/clippy.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,16 +22,20 @@ cargo clippy \
--target-dir=target/clippy \
--all-features --all-targets \
-- \
--deny missing_docs \
--deny warnings \
\
--deny clippy::as_conversions \
\
--allow clippy::clone_on_copy \
--allow clippy::explicit_auto_deref \
--allow clippy::len_without_is_empty \
--allow clippy::needless_borrow \
--allow clippy::new_without_default \
--allow clippy::octal_escapes \
--allow clippy::redundant_closure \
--allow clippy::single_match \
--allow clippy::single_match_else \
--allow clippy::type_complexity \
--allow clippy::upper_case_acronyms \
--allow clippy::useless_asref \
$NULL
2 changes: 1 addition & 1 deletion src/calendar.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,7 @@ fn days_before_year_since_unix_epoch(year: u64) -> Result<u64, Error> {
// Unix epoch. It is likely that other software won't deal well with
// certificates that have dates before the epoch.
if year < 1970 {
return Err(Error::BadDERTime);
return Err(Error::BadDerTime);
}
let days_before_year_ad = days_before_year_ad(year);
debug_assert!(days_before_year_ad >= DAYS_BEFORE_UNIX_EPOCH_AD);
Expand Down
12 changes: 6 additions & 6 deletions src/cert.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,16 +49,16 @@ pub(crate) fn parse_cert_internal<'a>(
ee_or_ca: EndEntityOrCa<'a>,
serial_number: fn(input: &mut untrusted::Reader<'_>) -> Result<(), Error>,
) -> Result<Cert<'a>, Error> {
let (tbs, signed_data) = cert_der.read_all(Error::BadDER, |cert_der| {
let (tbs, signed_data) = cert_der.read_all(Error::BadDer, |cert_der| {
der::nested(
cert_der,
der::Tag::Sequence,
Error::BadDER,
Error::BadDer,
signed_data::parse_signed_data,
)
})?;

tbs.read_all(Error::BadDER, |tbs| {
tbs.read_all(Error::BadDer, |tbs| {
version3(tbs)?;
serial_number(tbs)?;

Expand Down Expand Up @@ -110,7 +110,7 @@ pub(crate) fn parse_cert_internal<'a>(
tagged,
der::Tag::Sequence,
der::Tag::Sequence,
Error::BadDER,
Error::BadDer,
|extension| {
let extn_id = der::expect_tag_and_get_value(extension, der::Tag::OID)?;
let critical = der::optional_boolean(extension)?;
Expand Down Expand Up @@ -154,7 +154,7 @@ pub fn certificate_serial_number(input: &mut untrusted::Reader) -> Result<(), Er

let value = der::positive_integer(input)?;
if value.big_endian_without_leading_zero().len() > 20 {
return Err(Error::BadDER);
return Err(Error::BadDer);
}
Ok(())
}
Expand Down Expand Up @@ -215,7 +215,7 @@ fn remember_extension<'a>(
}
None => {
// All the extensions that we care about are wrapped in a SEQUENCE.
let sequence_value = value.read_all(Error::BadDER, |value| {
let sequence_value = value.read_all(Error::BadDer, |value| {
der::expect_tag_and_get_value(value, der::Tag::Sequence)
})?;
*out = Some(sequence_value);
Expand Down
32 changes: 16 additions & 16 deletions src/der.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ pub fn expect_tag_and_get_value<'a>(
input: &mut untrusted::Reader<'a>,
tag: Tag,
) -> Result<untrusted::Input<'a>, Error> {
ring::io::der::expect_tag_and_get_value(input, tag).map_err(|_| Error::BadDER)
ring::io::der::expect_tag_and_get_value(input, tag).map_err(|_| Error::BadDer)
}

pub struct Value<'a> {
Expand All @@ -39,7 +39,7 @@ impl<'a> Value<'a> {
pub fn expect_tag<'a>(input: &mut untrusted::Reader<'a>, tag: Tag) -> Result<Value<'a>, Error> {
let (actual_tag, value) = read_tag_and_get_value(input)?;
if usize::from(tag) != usize::from(actual_tag) {
return Err(Error::BadDER);
return Err(Error::BadDer);
}

Ok(Value { value })
Expand All @@ -49,7 +49,7 @@ pub fn expect_tag<'a>(input: &mut untrusted::Reader<'a>, tag: Tag) -> Result<Val
pub fn read_tag_and_get_value<'a>(
input: &mut untrusted::Reader<'a>,
) -> Result<(u8, untrusted::Input<'a>), Error> {
ring::io::der::read_tag_and_get_value(input).map_err(|_| Error::BadDER)
ring::io::der::read_tag_and_get_value(input).map_err(|_| Error::BadDer)
}

// TODO: investigate taking decoder as a reference to reduce generated code
Expand Down Expand Up @@ -78,10 +78,10 @@ where
pub fn bit_string_with_no_unused_bits<'a>(
input: &mut untrusted::Reader<'a>,
) -> Result<untrusted::Input<'a>, Error> {
nested(input, Tag::BitString, Error::BadDER, |value| {
let unused_bits_at_end = value.read_byte().map_err(|_| Error::BadDER)?;
nested(input, Tag::BitString, Error::BadDer, |value| {
let unused_bits_at_end = value.read_byte().map_err(|_| Error::BadDer)?;
if unused_bits_at_end != 0 {
return Err(Error::BadDER);
return Err(Error::BadDer);
}
Ok(value.read_bytes_to_end())
})
Expand All @@ -93,21 +93,21 @@ pub fn optional_boolean(input: &mut untrusted::Reader) -> Result<bool, Error> {
if !input.peek(Tag::Boolean.into()) {
return Ok(false);
}
nested(input, Tag::Boolean, Error::BadDER, |input| {
nested(input, Tag::Boolean, Error::BadDer, |input| {
match input.read_byte() {
Ok(0xff) => Ok(true),
Ok(0x00) => Ok(false),
_ => Err(Error::BadDER),
_ => Err(Error::BadDer),
}
})
}

pub fn positive_integer<'a>(input: &'a mut untrusted::Reader) -> Result<Positive<'a>, Error> {
ring::io::der::positive_integer(input).map_err(|_| Error::BadDER)
ring::io::der::positive_integer(input).map_err(|_| Error::BadDer)
}

pub fn small_nonnegative_integer(input: &mut untrusted::Reader) -> Result<u8, Error> {
ring::io::der::small_nonnegative_integer(input).map_err(|_| Error::BadDER)
ring::io::der::small_nonnegative_integer(input).map_err(|_| Error::BadDer)
}

pub fn time_choice(input: &mut untrusted::Reader) -> Result<time::Time, Error> {
Expand All @@ -120,24 +120,24 @@ pub fn time_choice(input: &mut untrusted::Reader) -> Result<time::Time, Error> {

fn read_digit(inner: &mut untrusted::Reader) -> Result<u64, Error> {
const DIGIT: core::ops::RangeInclusive<u8> = b'0'..=b'9';
let b = inner.read_byte().map_err(|_| Error::BadDERTime)?;
let b = inner.read_byte().map_err(|_| Error::BadDerTime)?;
if DIGIT.contains(&b) {
return Ok(u64::from(b - DIGIT.start()));
}
Err(Error::BadDERTime)
Err(Error::BadDerTime)
}

fn read_two_digits(inner: &mut untrusted::Reader, min: u64, max: u64) -> Result<u64, Error> {
let hi = read_digit(inner)?;
let lo = read_digit(inner)?;
let value = (hi * 10) + lo;
if value < min || value > max {
return Err(Error::BadDERTime);
return Err(Error::BadDerTime);
}
Ok(value)
}

nested(input, expected_tag, Error::BadDER, |value| {
nested(input, expected_tag, Error::BadDer, |value| {
let (year_hi, year_lo) = if is_utc_time {
let lo = read_two_digits(value, 0, 99)?;
let hi = if lo >= 50 { 19 } else { 20 };
Expand All @@ -156,9 +156,9 @@ pub fn time_choice(input: &mut untrusted::Reader) -> Result<time::Time, Error> {
let minutes = read_two_digits(value, 0, 59)?;
let seconds = read_two_digits(value, 0, 59)?;

let time_zone = value.read_byte().map_err(|_| Error::BadDERTime)?;
let time_zone = value.read_byte().map_err(|_| Error::BadDerTime)?;
if time_zone != b'Z' {
return Err(Error::BadDERTime);
return Err(Error::BadDerTime);
}

calendar::time_from_ymdhms_utc(year, month, day_of_month, hours, minutes, seconds)
Expand Down
50 changes: 36 additions & 14 deletions src/end_entity.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,10 +13,12 @@
// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

use crate::{
cert, name, signed_data, verify_cert, DnsNameRef, Error, SignatureAlgorithm,
TLSClientTrustAnchors, TLSServerTrustAnchors, Time,
cert, name, signed_data, verify_cert, DnsNameRef, Error, SignatureAlgorithm, Time,
TlsClientTrustAnchors, TlsServerTrustAnchors,
};
use core::convert::TryFrom;

#[cfg(feature = "alloc")]
use alloc::vec::Vec;

/// An end-entity certificate.
///
Expand Down Expand Up @@ -57,7 +59,7 @@ pub struct EndEntityCert<'a> {
inner: cert::Cert<'a>,
}

impl<'a> TryFrom<&'a [u8]> for EndEntityCert<'a> {
impl<'a> core::convert::TryFrom<&'a [u8]> for EndEntityCert<'a> {
type Error = Error;

/// Parse the ASN.1 DER-encoded X.509 encoding of the certificate
Expand All @@ -73,12 +75,6 @@ impl<'a> TryFrom<&'a [u8]> for EndEntityCert<'a> {
}

impl<'a> EndEntityCert<'a> {
/// Deprecated. Use `TryFrom::try_from`.
#[deprecated(note = "Use TryFrom::try_from")]
pub fn from(cert_der: &'a [u8]) -> Result<Self, Error> {
TryFrom::try_from(cert_der)
}

pub(super) fn inner(&self) -> &cert::Cert {
&self.inner
}
Expand All @@ -96,7 +92,7 @@ impl<'a> EndEntityCert<'a> {
pub fn verify_is_valid_tls_server_cert(
&self,
supported_sig_algs: &[&SignatureAlgorithm],
&TLSServerTrustAnchors(trust_anchors): &TLSServerTrustAnchors,
&TlsServerTrustAnchors(trust_anchors): &TlsServerTrustAnchors,
intermediate_certs: &[&[u8]],
time: Time,
) -> Result<(), Error> {
Expand Down Expand Up @@ -128,7 +124,7 @@ impl<'a> EndEntityCert<'a> {
pub fn verify_is_valid_tls_client_cert(
&self,
supported_sig_algs: &[&SignatureAlgorithm],
&TLSClientTrustAnchors(trust_anchors): &TLSClientTrustAnchors,
&TlsClientTrustAnchors(trust_anchors): &TlsClientTrustAnchors,
intermediate_certs: &[&[u8]],
time: Time,
) -> Result<(), Error> {
Expand All @@ -145,7 +141,33 @@ impl<'a> EndEntityCert<'a> {

/// Verifies that the certificate is valid for the given DNS host name.
pub fn verify_is_valid_for_dns_name(&self, dns_name: DnsNameRef) -> Result<(), Error> {
name::verify_cert_dns_name(self, dns_name)
name::verify_cert_dns_name(&self, dns_name)
}

/// Verifies that the certificate is valid for at least one of the given DNS
/// host names.
///
/// If the certificate is not valid for any of the given names then this
/// fails with `Error::CertNotValidForName`. Otherwise the DNS names for
/// which the certificate is valid are returned.
///
/// Requires the `alloc` default feature; i.e. this isn't available in
/// `#![no_std]` configurations.
#[cfg(feature = "alloc")]
pub fn verify_is_valid_for_at_least_one_dns_name<'names, Names>(
&self,
dns_names: Names,
) -> Result<Vec<DnsNameRef<'names>>, Error>
where
Names: Iterator<Item = DnsNameRef<'names>>,
{
let result: Vec<DnsNameRef<'names>> = dns_names
.filter(|n| self.verify_is_valid_for_dns_name(*n).is_ok())
.collect();
if result.is_empty() {
return Err(Error::CertNotValidForName);
}
Ok(result)
}

/// Verifies the signature `signature` of message `msg` using the
Expand All @@ -160,7 +182,7 @@ impl<'a> EndEntityCert<'a> {
/// `DigitallySigned.algorithm` of TLS type `SignatureAndHashAlgorithm`. In
/// TLS 1.2 a single `SignatureAndHashAlgorithm` may map to multiple
/// `SignatureAlgorithm`s. For example, a TLS 1.2
/// `SignatureAndHashAlgorithm` of (ECDSA, SHA-256) may map to any or all
/// `ignatureAndHashAlgorithm` of (ECDSA, SHA-256) may map to any or all
/// of {`ECDSA_P256_SHA256`, `ECDSA_P384_SHA256`}, depending on how the TLS
/// implementation is configured.
///
Expand Down
6 changes: 2 additions & 4 deletions src/error.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,12 +18,10 @@ use core::fmt;
#[derive(Clone, Copy, Debug, PartialEq)]
pub enum Error {
/// The encoding of some ASN.1 DER-encoded item is invalid.
// TODO: Rename to `BadDer` in the next release.
BadDER,
BadDer,

/// The encoding of an ASN.1 DER-encoded time is invalid.
// TODO: Rename to `BadDerTime` in the next release.
BadDERTime,
BadDerTime,

/// A CA certificate is being used as an end-entity certificate.
CaUsedAsEndEntity,
Expand Down
28 changes: 21 additions & 7 deletions src/lib.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,17 @@

#![doc(html_root_url = "https://briansmith.org/rustdoc/")]
#![cfg_attr(not(feature = "std"), no_std)]
#![allow(
clippy::doc_markdown,
clippy::if_not_else,
clippy::inline_always,
clippy::items_after_statements,
clippy::missing_errors_doc,
clippy::module_name_repetitions,
clippy::single_match,
clippy::single_match_else
)]
#![deny(clippy::as_conversions)]

#[cfg(any(test, feature = "alloc"))]
#[cfg_attr(test, macro_use)]
Expand All @@ -42,7 +53,6 @@ mod name;
mod signed_data;
mod time;
mod trust_anchor;
pub mod trust_anchor_util;

mod verify_cert;

Expand All @@ -55,7 +65,7 @@ pub use {
ECDSA_P384_SHA384, ED25519,
},
time::Time,
trust_anchor::{TLSClientTrustAnchors, TLSServerTrustAnchors, TrustAnchor},
trust_anchor::{TlsClientTrustAnchors, TlsServerTrustAnchors, TrustAnchor},
};

#[cfg(feature = "alloc")]
Expand All @@ -69,14 +79,18 @@ pub use {
};

#[cfg(feature = "alloc")]
#[allow(missing_docs, unknown_lints, clippy::upper_case_acronyms)]
#[allow(unknown_lints, clippy::upper_case_acronyms)]
#[deprecated(note = "Use DnsName")]
pub type DNSName = DnsName;

#[deprecated(note = "use DnsNameRef")]
#[allow(missing_docs, unknown_lints, clippy::upper_case_acronyms)]
#[allow(unknown_lints, clippy::upper_case_acronyms)]
pub type DNSNameRef<'a> = DnsNameRef<'a>;

#[deprecated(note = "use InvalidDnsNameError")]
#[allow(missing_docs, unknown_lints, clippy::upper_case_acronyms)]
pub type InvalidDNSNameError = InvalidDnsNameError;
#[deprecated(note = "use TlsServerTrustAnchors")]
#[allow(unknown_lints, clippy::upper_case_acronyms)]
pub type TLSServerTrustAnchors<'a> = TlsServerTrustAnchors<'a>;

#[deprecated(note = "use TlsClientTrustAnchors")]
#[allow(unknown_lints, clippy::upper_case_acronyms)]
pub type TLSClientTrustAnchors<'a> = TlsClientTrustAnchors<'a>;
Loading

0 comments on commit 5befee3

Please sign in to comment.