From e7c20c21ae54768e1303e08358195834b40044f9 Mon Sep 17 00:00:00 2001 From: Dirkjan Ochtman Date: Thu, 28 Mar 2024 12:46:35 +0100 Subject: [PATCH] Upgrade to rcgen 0.13 --- webpki-roots/Cargo.toml | 2 +- webpki-roots/tests/verify.rs | 30 +++++++++++++++++------------- 2 files changed, 18 insertions(+), 14 deletions(-) diff --git a/webpki-roots/Cargo.toml b/webpki-roots/Cargo.toml index 93a183e..5348360 100644 --- a/webpki-roots/Cargo.toml +++ b/webpki-roots/Cargo.toml @@ -14,7 +14,7 @@ pki-types = { workspace = true } [dev-dependencies] hex = { workspace = true } percent-encoding = "2.3" -rcgen = "0.12.0" +rcgen = "0.13" ring = "0.17.0" rustls = "0.23" tokio = { version = "1", features = ["macros", "rt-multi-thread"] } diff --git a/webpki-roots/tests/verify.rs b/webpki-roots/tests/verify.rs index 57a6cec..518560b 100644 --- a/webpki-roots/tests/verify.rs +++ b/webpki-roots/tests/verify.rs @@ -1,8 +1,10 @@ use core::time::Duration; use std::convert::TryFrom; -use pki_types::{CertificateDer, SignatureVerificationAlgorithm, UnixTime, ServerName}; -use rcgen::{BasicConstraints, Certificate, CertificateParams, DnType, IsCa, KeyUsagePurpose}; +use pki_types::{CertificateDer, ServerName, SignatureVerificationAlgorithm, UnixTime}; +use rcgen::{ + BasicConstraints, Certificate, CertificateParams, DnType, IsCa, KeyPair, KeyUsagePurpose, +}; use webpki::{anchor_from_trusted_cert, EndEntityCert, Error, KeyUsage}; use x509_parser::extensions::{GeneralName, NameConstraints as X509ParserNameConstraints}; use x509_parser::prelude::FromDer; @@ -61,7 +63,7 @@ struct ConstraintTest { impl ConstraintTest { fn new(webpki_name_constraints: &[u8]) -> Self { // Create a trust anchor CA certificate that has the name constraints we want to test. - let mut trust_anchor = CertificateParams::new([]); + let mut trust_anchor = CertificateParams::new([]).unwrap(); trust_anchor .distinguished_name .push(DnType::CommonName, "Name Constraint Test CA"); @@ -72,7 +74,8 @@ impl ConstraintTest { ]; let name_constraints = rcgen_name_constraints(webpki_name_constraints); trust_anchor.name_constraints = Some(name_constraints.clone()); - let trust_anchor = Certificate::from_params(trust_anchor).unwrap(); + let key_pair = KeyPair::generate().unwrap(); + let trust_anchor = trust_anchor.self_signed(&key_pair).unwrap(); let certs_for_subtrees = |suffix| { name_constraints @@ -82,6 +85,7 @@ impl ConstraintTest { rcgen::GeneralSubtree::DnsName(dns_name) => Some(rcgen_ee_for_name( format!("valid{}{}", dns_name, suffix), &trust_anchor, + &key_pair, )), _ => None, }) @@ -89,27 +93,27 @@ impl ConstraintTest { }; Self { - trust_anchor: CertificateDer::from(trust_anchor.serialize_der().unwrap()), // For each permitted subtree in the name constraints, issue an end entity certificate // that contains a DNS name matching the permitted subtree base. permitted_certs: certs_for_subtrees(""), // For each permitted subtree in the name constraints, issue an end entity certificate // that contains a DNS name that will **not** match the permitted subtree base. forbidden_certs: certs_for_subtrees(".invalid"), + trust_anchor: trust_anchor.into(), } } } -fn rcgen_ee_for_name(name: String, issuer: &Certificate) -> CertificateDer<'static> { - let mut ee = CertificateParams::new(vec![name.clone()]); +fn rcgen_ee_for_name( + name: String, + issuer: &Certificate, + issuer_key: &KeyPair, +) -> CertificateDer<'static> { + let mut ee = CertificateParams::new(vec![name.clone()]).unwrap(); ee.distinguished_name.push(DnType::CommonName, name); ee.is_ca = IsCa::NoCa; - CertificateDer::from( - Certificate::from_params(ee) - .unwrap() - .serialize_der_with_signer(issuer) - .unwrap(), - ) + let key_pair = KeyPair::generate().unwrap(); + ee.signed_by(&key_pair, issuer, issuer_key).unwrap().into() } /// Convert the webpki trust anchor DER encoding of name constraints to rcgen NameConstraints.