Skip to content

Commit

Permalink
crl: CertRevocationList -> BorrowedCertRevocationList.
Browse files Browse the repository at this point in the history 
Preparing for introducing a trait, and an owned type.
  • Loading branch information
@cpu
cpu committed Jun 23, 2023
1 parent 43c85e6 commit 924c4c8
Show file tree
Hide file tree
Showing 5 changed files with 49 additions and 46 deletions.
10 changes: 5 additions & 5 deletions src/crl.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ use crate::{der, signed_data, Error, Time};
/// Representation of a RFC 5280[^1] profile Certificate Revocation List (CRL).
///
/// [^1]: <https://www.rfc-editor.org/rfc/rfc5280#section-5>
pub struct CertRevocationList<'a> {
pub struct BorrowedCertRevocationList<'a> {
/// A `SignedData` structure that can be passed to `verify_signed_data`.
pub(crate) signed_data: signed_data::SignedData<'a>,

Expand All @@ -44,7 +44,7 @@ pub struct CertRevocationList<'a> {
pub crl_number: Option<&'a [u8]>,
}

impl<'a> CertRevocationList<'a> {
impl<'a> BorrowedCertRevocationList<'a> {
/// Try to parse the given bytes as a RFC 5280[^1] profile Certificate Revocation List (CRL).
///
/// Webpki does not support:
Expand Down Expand Up @@ -122,7 +122,7 @@ impl<'a> CertRevocationList<'a> {
untrusted::Input::from(&[])
};

let mut crl = CertRevocationList {
let mut crl = BorrowedCertRevocationList {
signed_data,
issuer,
this_update,
Expand Down Expand Up @@ -227,7 +227,7 @@ impl<'a> CertRevocationList<'a> {

/// Try to find a [`RevokedCert`] in the CRL that has a serial number matching `serial`. This
/// method will ignore any [`RevokedCert`] entries that do not parse successfully. To handle
/// parse errors use [`CertRevocationList`]'s [`IntoIterator`] trait.
/// parse errors use [`BorrowedCertRevocationList`]'s [`IntoIterator`] trait.
pub fn find_serial(&self, serial: &[u8]) -> Option<RevokedCert<'_>> {
// TODO(XXX): This linear scan is sub-optimal from a performance perspective, but avoids
// any allocation. It would be nice to offer a speedier alternative for
Expand All @@ -250,7 +250,7 @@ impl<'a> CertRevocationList<'a> {
}
}

impl<'a> IntoIterator for &'a CertRevocationList<'a> {
impl<'a> IntoIterator for &'a BorrowedCertRevocationList<'a> {
type Item = Result<RevokedCert<'a>, Error>;
type IntoIter = RevokedCerts<'a>;

Expand Down
2 changes: 1 addition & 1 deletion src/lib.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ mod x509;

pub use {
cert::{Cert, EndEntityOrCa},
crl::{CertRevocationList, RevocationReason, RevokedCert},
crl::{BorrowedCertRevocationList, RevocationReason, RevokedCert},
end_entity::EndEntityCert,
error::Error,
signed_data::{
Expand Down
8 changes: 4 additions & 4 deletions src/verify_cert.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,23 +14,23 @@

use crate::{
cert::{self, Cert, EndEntityOrCa},
der, signed_data, subject_name, time, CertRevocationList, Error, SignatureAlgorithm,
der, signed_data, subject_name, time, BorrowedCertRevocationList, Error, SignatureAlgorithm,
TrustAnchor,
};

/// A trait that can provide CRLs to use for revocation checking.
pub trait CrlProvider<'a> {
/// A function that can be invoked with a [`Cert`] to optionally provide a [`CertRevocationList`]
/// A function that can be invoked with a [`Cert`] to optionally provide a [`BorrowedCertRevocationList`]
/// to use to verify the certificate's revocation status.
///
/// An implementation that only wishes to check revocation status for leaf certificates can
/// choose to return `None` when the [`Cert.ee_or_ca`] field is [`EndEntityOrCa::Ca`].
fn crl_for_cert(&self, cert: &Cert) -> Option<&'a CertRevocationList<'a>>;
fn crl_for_cert(&self, cert: &Cert) -> Option<&'a BorrowedCertRevocationList<'a>>;
}

/// Options controlling how revocation is handled when building a chain.
pub struct RevocationCheckOptions<'a> {
/// A function that can be invoked with a [`Cert`] to optionally provide a [`CertRevocationList`]
/// A function that can be invoked with a [`Cert`] to optionally provide a [`BorrowedCertRevocationList`]
/// to use to verify the certificate's revocation status.
pub crl_provider: &'a dyn CrlProvider<'a>,
}
Expand Down
39 changes: 21 additions & 18 deletions tests/client_auth_revocation.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,13 +25,16 @@ pub enum RevocationCheckDepth {
}

struct TestCrls<'a> {
crls: &'a [webpki::CertRevocationList<'a>],
crls: &'a [webpki::BorrowedCertRevocationList<'a>],
depth: RevocationCheckDepth,
}

impl<'a> webpki::CrlProvider<'a> for TestCrls<'a> {
// Lookup a CRL from the set of test CRLs by matching the cert's issuer with the CRL's issuer.
fn crl_for_cert(&self, cert: &webpki::Cert) -> Option<&'a webpki::CertRevocationList<'a>> {
fn crl_for_cert(
&self,
cert: &webpki::Cert,
) -> Option<&'a webpki::BorrowedCertRevocationList<'a>> {
// If we're asked for a CRL for a CA cert, and the configured TestCrls depth is EndEntity,
// return None.
if matches!(cert.end_entity_or_ca(), webpki::EndEntityOrCa::Ca(_))
Expand All @@ -50,7 +53,7 @@ fn check_cert(
intermediates: &[&[u8]],
ca: &[u8],
depth: RevocationCheckDepth,
crls: &[webpki::CertRevocationList],
crls: &[webpki::BorrowedCertRevocationList],
) -> Result<(), webpki::Error> {
let anchors = &[webpki::TrustAnchor::try_from_cert_der(ca).unwrap()];
let anchors = webpki::TlsClientTrustAnchors(anchors.as_slice());
Expand Down Expand Up @@ -94,7 +97,7 @@ fn no_relevant_crl_ee_depth() {
include_bytes!("client_auth_revocation/no_ku_chain.int.b.ca.der").as_slice(),
];
let ca = include_bytes!("client_auth_revocation/no_ku_chain.root.ca.der");
let crls = &[webpki::CertRevocationList::from_der(
let crls = &[webpki::BorrowedCertRevocationList::from_der(
include_bytes!("client_auth_revocation/no_relevant_crl_ee_depth.crl.der").as_slice(),
)
.unwrap()];
Expand All @@ -112,7 +115,7 @@ fn ee_not_revoked_ee_depth() {
include_bytes!("client_auth_revocation/no_ku_chain.int.b.ca.der").as_slice(),
];
let ca = include_bytes!("client_auth_revocation/no_ku_chain.root.ca.der");
let crls = &[webpki::CertRevocationList::from_der(
let crls = &[webpki::BorrowedCertRevocationList::from_der(
include_bytes!("client_auth_revocation/ee_not_revoked_ee_depth.crl.der").as_slice(),
)
.unwrap()];
Expand All @@ -130,7 +133,7 @@ fn ee_revoked_badsig_ee_depth() {
include_bytes!("client_auth_revocation/no_ku_chain.int.b.ca.der").as_slice(),
];
let ca = include_bytes!("client_auth_revocation/no_ku_chain.root.ca.der");
let crls = &[webpki::CertRevocationList::from_der(
let crls = &[webpki::BorrowedCertRevocationList::from_der(
include_bytes!("client_auth_revocation/ee_revoked_badsig_ee_depth.crl.der").as_slice(),
)
.unwrap()];
Expand All @@ -148,7 +151,7 @@ fn ee_revoked_wrong_ku_ee_depth() {
include_bytes!("client_auth_revocation/no_crl_ku_chain.int.b.ca.der").as_slice(),
];
let ca = include_bytes!("client_auth_revocation/no_crl_ku_chain.root.ca.der");
let crls = &[webpki::CertRevocationList::from_der(
let crls = &[webpki::BorrowedCertRevocationList::from_der(
include_bytes!("client_auth_revocation/ee_revoked_wrong_ku_ee_depth.crl.der").as_slice(),
)
.unwrap()];
Expand All @@ -166,7 +169,7 @@ fn ee_not_revoked_wrong_ku_ee_depth() {
include_bytes!("client_auth_revocation/no_crl_ku_chain.int.b.ca.der").as_slice(),
];
let ca = include_bytes!("client_auth_revocation/no_crl_ku_chain.root.ca.der");
let crls = &[webpki::CertRevocationList::from_der(
let crls = &[webpki::BorrowedCertRevocationList::from_der(
include_bytes!("client_auth_revocation/ee_not_revoked_wrong_ku_ee_depth.crl.der")
.as_slice(),
)
Expand All @@ -185,7 +188,7 @@ fn ee_revoked_no_ku_ee_depth() {
include_bytes!("client_auth_revocation/no_ku_chain.int.b.ca.der").as_slice(),
];
let ca = include_bytes!("client_auth_revocation/no_ku_chain.root.ca.der");
let crls = &[webpki::CertRevocationList::from_der(
let crls = &[webpki::BorrowedCertRevocationList::from_der(
include_bytes!("client_auth_revocation/ee_revoked_no_ku_ee_depth.crl.der").as_slice(),
)
.unwrap()];
Expand All @@ -203,7 +206,7 @@ fn ee_revoked_crl_ku_ee_depth() {
include_bytes!("client_auth_revocation/ku_chain.int.b.ca.der").as_slice(),
];
let ca = include_bytes!("client_auth_revocation/ku_chain.root.ca.der");
let crls = &[webpki::CertRevocationList::from_der(
let crls = &[webpki::BorrowedCertRevocationList::from_der(
include_bytes!("client_auth_revocation/ee_revoked_crl_ku_ee_depth.crl.der").as_slice(),
)
.unwrap()];
Expand Down Expand Up @@ -236,7 +239,7 @@ fn no_relevant_crl_chain_depth() {
include_bytes!("client_auth_revocation/no_ku_chain.int.b.ca.der").as_slice(),
];
let ca = include_bytes!("client_auth_revocation/no_ku_chain.root.ca.der");
let crls = &[webpki::CertRevocationList::from_der(
let crls = &[webpki::BorrowedCertRevocationList::from_der(
include_bytes!("client_auth_revocation/no_relevant_crl_chain_depth.crl.der").as_slice(),
)
.unwrap()];
Expand All @@ -254,7 +257,7 @@ fn int_not_revoked_chain_depth() {
include_bytes!("client_auth_revocation/no_ku_chain.int.b.ca.der").as_slice(),
];
let ca = include_bytes!("client_auth_revocation/no_ku_chain.root.ca.der");
let crls = &[webpki::CertRevocationList::from_der(
let crls = &[webpki::BorrowedCertRevocationList::from_der(
include_bytes!("client_auth_revocation/int_not_revoked_chain_depth.crl.der").as_slice(),
)
.unwrap()];
Expand All @@ -272,7 +275,7 @@ fn int_revoked_badsig_chain_depth() {
include_bytes!("client_auth_revocation/no_ku_chain.int.b.ca.der").as_slice(),
];
let ca = include_bytes!("client_auth_revocation/no_ku_chain.root.ca.der");
let crls = &[webpki::CertRevocationList::from_der(
let crls = &[webpki::BorrowedCertRevocationList::from_der(
include_bytes!("client_auth_revocation/int_revoked_badsig_chain_depth.crl.der").as_slice(),
)
.unwrap()];
Expand All @@ -290,7 +293,7 @@ fn int_revoked_wrong_ku_chain_depth() {
include_bytes!("client_auth_revocation/no_crl_ku_chain.int.b.ca.der").as_slice(),
];
let ca = include_bytes!("client_auth_revocation/no_crl_ku_chain.root.ca.der");
let crls = &[webpki::CertRevocationList::from_der(
let crls = &[webpki::BorrowedCertRevocationList::from_der(
include_bytes!("client_auth_revocation/int_revoked_wrong_ku_chain_depth.crl.der")
.as_slice(),
)
Expand All @@ -309,7 +312,7 @@ fn ee_revoked_chain_depth() {
include_bytes!("client_auth_revocation/no_ku_chain.int.b.ca.der").as_slice(),
];
let ca = include_bytes!("client_auth_revocation/no_ku_chain.root.ca.der");
let crls = &[webpki::CertRevocationList::from_der(
let crls = &[webpki::BorrowedCertRevocationList::from_der(
include_bytes!("client_auth_revocation/ee_revoked_chain_depth.crl.der").as_slice(),
)
.unwrap()];
Expand All @@ -327,7 +330,7 @@ fn int_revoked_ee_depth() {
include_bytes!("client_auth_revocation/no_ku_chain.int.b.ca.der").as_slice(),
];
let ca = include_bytes!("client_auth_revocation/no_ku_chain.root.ca.der");
let crls = &[webpki::CertRevocationList::from_der(
let crls = &[webpki::BorrowedCertRevocationList::from_der(
include_bytes!("client_auth_revocation/int_revoked_ee_depth.crl.der").as_slice(),
)
.unwrap()];
Expand All @@ -345,7 +348,7 @@ fn int_revoked_no_ku_chain_depth() {
include_bytes!("client_auth_revocation/no_ku_chain.int.b.ca.der").as_slice(),
];
let ca = include_bytes!("client_auth_revocation/no_ku_chain.root.ca.der");
let crls = &[webpki::CertRevocationList::from_der(
let crls = &[webpki::BorrowedCertRevocationList::from_der(
include_bytes!("client_auth_revocation/int_revoked_no_ku_chain_depth.crl.der").as_slice(),
)
.unwrap()];
Expand All @@ -363,7 +366,7 @@ fn int_revoked_crl_ku_chain_depth() {
include_bytes!("client_auth_revocation/ku_chain.int.b.ca.der").as_slice(),
];
let ca = include_bytes!("client_auth_revocation/ku_chain.root.ca.der");
let crls = &[webpki::CertRevocationList::from_der(
let crls = &[webpki::BorrowedCertRevocationList::from_der(
include_bytes!("client_auth_revocation/int_revoked_crl_ku_chain_depth.crl.der").as_slice(),
)
.unwrap()];
Expand Down
Loading

0 comments on commit 924c4c8

Please sign in to comment.