Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add a method to collect DNS names from a certificate #42

Merged
merged 1 commit into from
Apr 20, 2023
Merged

add a method to collect DNS names from a certificate #42

merged 1 commit into from
Apr 20, 2023
+286 −34

Conversation

cpu
Copy link
Member

@cpu cpu commented Apr 5, 2023
edited
Loading

This branch adds an EndEntityCert::dns_names method, which returns a list of the DNS names provided in the subject alternative names extension of the certificate.

This branch is based on work done by @seanmonstar in briansmith/webpki#91, by @Geal in briansmith/webpki#103 and @hawkw in #6. The development train keeps chugging along in this branch :-)

In #6 @hawkw updated the changeset to track the main branch of the rustls/webpki repository. Since I wasn't able to push commits to the linkerd fork to continue develop in #6 I have addressed the feedback on that branch in this separate PR. The new changes are:

  • Updating list_cert_dns_names to return impl Iterator instead of a Vec based on @djc's feedback.
  • Fixing the stale comments about Eq, PartialEq, etc flagged by @samlh in a drive-by review. Brian Smith implemented Eq, PartialEq and Hash for the DNSName type in briansmith/webpki@96de094 but the comments referring to not implementing them slipped through.
  • Rebasing on main.
  • Applying cargo fmt, fixing cargo clippy findings, import drifts.
  • Removing alloc requirement on Debug impls with an allocation-free strategy for lowercasing.
  • Removing unnecessary use of a RefCell by changing the name iterator helper to accept an impl FnMut argument instead of dyn Fn.
  • Removing the owned WildcardDnsName type.
  • Clarifying the rationale for the GeneralDnsNameRef type, and why DnsNameRef can't contain wildcards while WildcardDnsNameRef may.
  • Implementing AsRef<str> for GeneralDnsNameRef.

Any bugs/errors are mine :-P

Closes #2
Replaces #6

Authored-by: Geoffroy Couprie [email protected]
Co-authored-by: Sean McArthur [email protected]
Co-authored-by: Eliza Weisman [email protected]
Co-authored-by: Daniel McCarney [email protected]
Signed-off-by: Daniel McCarney [email protected]

@cpu cpu self-assigned this Apr 5, 2023
@cpu cpu marked this pull request as draft April 5, 2023 19:13
@cpu
Copy link
Member Author

cpu commented Apr 5, 2023

Oops, looks like I picked a stale base branch and need to resolve conflicts. Setting this as WIP to fix that up.

@cpu cpu marked this pull request as ready for review April 5, 2023 19:51
@cpu
Copy link
Member Author

cpu commented Apr 5, 2023

need to resolve conflicts. Setting this as WIP to fix that up.

All fixed up.

@cpu cpu mentioned this pull request Apr 5, 2023
Closed
@djc
Copy link
Member

djc commented Apr 5, 2023

Would be nice to squash this all into a single commit (with a whole bunch of co-author lines).

hawkw
hawkw approved these changes Apr 5, 2023
View reviewed changes
Copy link
Contributor

@hawkw hawkw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me, thanks for picking up this work!

I had one small suggestion that occurred to me while skimming this code.

src/subject_name/dns_name.rs Outdated Show resolved Hide resolved
src/subject_name/dns_name.rs Outdated Show resolved Hide resolved
@cpu
Copy link
Member Author

cpu commented Apr 6, 2023

I had one small suggestion that occurred to me while skimming this code.

Thanks for the review!

Would be nice to squash this all into a single commit (with a whole bunch of co-author lines).

Done ☑️

@codecov
Copy link

codecov bot commented Apr 6, 2023
edited
Loading

Codecov Report

Merging #42 (9b66ec4) into main (6dd4a44) will decrease coverage by 0.40%.
The diff coverage is 82.27%.

@@            Coverage Diff             @@
##             main      #42      +/-   ##
==========================================
- Coverage   94.17%   93.78%   -0.40%     
==========================================
  Files          14       14              
  Lines        2505     2573      +68     
==========================================
+ Hits         2359     2413      +54     
- Misses        146      160      +14
Impacted Files Coverage Δ
src/subject_name/dns_name.rs 87.14% <68.88%> (-3.28%) ⬇️
src/end_entity.rs 54.54% <100.00%> (+2.16%) ⬆️
src/subject_name/verify.rs 95.81% <100.00%> (+0.49%) ⬆️

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

djc
djc reviewed Apr 6, 2023
View reviewed changes
src/subject_name/dns_name.rs Outdated Show resolved Hide resolved
src/subject_name/verify.rs Outdated Show resolved Hide resolved
src/subject_name/dns_name.rs Show resolved Hide resolved
@cpu cpu requested a review from djc April 12, 2023 14:59
djc
djc reviewed Apr 18, 2023
View reviewed changes
src/end_entity.rs Show resolved Hide resolved
src/subject_name/dns_name.rs Outdated Show resolved Hide resolved
src/subject_name/dns_name.rs Outdated Show resolved Hide resolved
src/subject_name/dns_name.rs Outdated Show resolved Hide resolved
@Geal @cpu
add a method to collect the DNS names from a cert.
9b66ec4 
This commit adds an `EndEntityCert::dns_names` method, which returns
a list of the DNS names provided in the subject alternative names
extension of the certificate.

Authored-by: Geoffroy Couprie [email protected]
Co-authored-by: Sean McArthur [email protected]
Co-authored-by: Eliza Weisman [email protected]
Co-authored-by: Daniel McCarney [email protected]
Signed-off-by: Daniel McCarney [email protected]
This was referenced Apr 18, 2023
Closed
Closed
@djc djc merged commit bdb7874 into rustls:main Apr 20, 2023
@cpu cpu deleted the cpu-adopts-6-cert-dns-names branch April 20, 2023 21:13
@Geal
Copy link
Contributor

Geal commented Apr 21, 2023

I'm amazed to see this merged, it took a few detours, but it's there!! Thanks!

@moparisthebest moparisthebest mentioned this pull request Apr 22, 2023
Closed
@hawkw hawkw mentioned this pull request Aug 31, 2023
Closed
hawkw added a commit to linkerd/linkerd2-proxy that referenced this pull request Sep 1, 2023
@hawkw
use rustls-webpki instead of linkerd/webpki
8558735 
This commit changes the `linkerd-meshtls-rustls` crate to use the
upstream `rustls-webpki` crate, maintained by Rustls, rather than our
fork of `briansmith/webpki` from GitHub. Since `rustls-webpki` includes
the change which was the initial motivation for the `linkerd/webpki`
fork (rustls/webpki#42), we can now depend on upstream.
@hawkw hawkw mentioned this pull request Sep 5, 2023
Merged
hawkw added a commit to linkerd/linkerd2-proxy that referenced this pull request Sep 11, 2023
@hawkw
use rustls-webpki instead of linkerd/webpki (#2465)
cd04d7a 
This commit changes the `linkerd-meshtls-rustls` crate to use the
upstream `rustls-webpki` crate, maintained by Rustls, rather than our
fork of `briansmith/webpki` from GitHub. Since `rustls-webpki` includes
the change which was the initial motivation for the `linkerd/webpki`
fork (rustls/webpki#42), we can now depend on upstream.

Currently, we must take a Git dependency on `rustls-webpki`, since a
release including a fix for an issue (rustls/webpki#167) which prevents
`rustls-webpki` from parsing our test certificates has not yet been
published. Once v0.101.5 of `rustls-webpki` is published (PR see
rustls/webpki#170), we can remove the Git dep. For now, I've updated
`cargo-deny` to allow the Git dependency.
hawkw added a commit to linkerd/linkerd2 that referenced this pull request Sep 11, 2023
@hawkw
proxy: v2.209.0
12a4266 
This commit changes the `linkerd-meshtls-rustls` crate to use the
upstream `rustls-webpki` crate, maintained by Rustls, rather than our
fork of `briansmith/webpki` from GitHub. Since `rustls-webpki` includes
the change which was the initial motivation for the `linkerd/webpki`
fork (rustls/webpki#42), we can now depend on upstream.

Currently, we must take a Git dependency on `rustls-webpki`, since a
release including a fix for an issue (rustls/webpki#167) which prevents
`rustls-webpki` from parsing our test certificates has not yet been
published. Once v0.101.5 of `rustls-webpki` is published (PR see
rustls/webpki#170), we can remove the Git dep. For now, I've updated
`cargo-deny` to allow the Git dependency.

---

* use `rustls-webpki` instead of `linkerd/webpki` (linkerd/linkerd2-proxy#2465)

Signed-off-by: Eliza Weisman <[email protected]>
@hawkw hawkw mentioned this pull request Sep 11, 2023
Merged
hawkw added a commit to linkerd/linkerd2 that referenced this pull request Sep 11, 2023
@hawkw
proxy: v2.209.0 (#11361)
ff5fabb 
This commit changes the `linkerd-meshtls-rustls` crate to use the
upstream `rustls-webpki` crate, maintained by Rustls, rather than our
fork of `briansmith/webpki` from GitHub. Since `rustls-webpki` includes
the change which was the initial motivation for the `linkerd/webpki`
fork (rustls/webpki#42), we can now depend on upstream.

Currently, we must take a Git dependency on `rustls-webpki`, since a
release including a fix for an issue (rustls/webpki#167) which prevents
`rustls-webpki` from parsing our test certificates has not yet been
published. Once v0.101.5 of `rustls-webpki` is published (PR see
rustls/webpki#170), we can remove the Git dep. For now, I've updated
`cargo-deny` to allow the Git dependency.

---

* use `rustls-webpki` instead of `linkerd/webpki` (linkerd/linkerd2-proxy#2465)

Signed-off-by: Eliza Weisman <[email protected]>
hawkw added a commit to linkerd/linkerd2-proxy that referenced this pull request Sep 18, 2023
@hawkw
use rustls-webpki instead of linkerd/webpki (#2465)
a4ccd6f 
This commit changes the `linkerd-meshtls-rustls` crate to use the
upstream `rustls-webpki` crate, maintained by Rustls, rather than our
fork of `briansmith/webpki` from GitHub. Since `rustls-webpki` includes
the change which was the initial motivation for the `linkerd/webpki`
fork (rustls/webpki#42), we can now depend on upstream.

Currently, we must take a Git dependency on `rustls-webpki`, since a
release including a fix for an issue (rustls/webpki#167) which prevents
`rustls-webpki` from parsing our test certificates has not yet been
published. Once v0.101.5 of `rustls-webpki` is published (PR see
rustls/webpki#170), we can remove the Git dep. For now, I've updated
`cargo-deny` to allow the Git dependency.
hawkw added a commit to linkerd/linkerd2-proxy that referenced this pull request Sep 18, 2023
@hawkw
use rustls-webpki instead of linkerd/webpki (#2465)
9fe7ea0 
This commit changes the `linkerd-meshtls-rustls` crate to use the
upstream `rustls-webpki` crate, maintained by Rustls, rather than our
fork of `briansmith/webpki` from GitHub. Since `rustls-webpki` includes
the change which was the initial motivation for the `linkerd/webpki`
fork (rustls/webpki#42), we can now depend on upstream.

Currently, we must take a Git dependency on `rustls-webpki`, since a
release including a fix for an issue (rustls/webpki#167) which prevents
`rustls-webpki` from parsing our test certificates has not yet been
published. Once v0.101.5 of `rustls-webpki` is published (PR see
rustls/webpki#170), we can remove the Git dep. For now, I've updated
`cargo-deny` to allow the Git dependency.
adamshawvipps pushed a commit to adamshawvipps/linkerd2 that referenced this pull request Sep 18, 2023
@hawkw @adamshawvipps
proxy: v2.209.0 (linkerd#11361)
5dff296 
This commit changes the `linkerd-meshtls-rustls` crate to use the
upstream `rustls-webpki` crate, maintained by Rustls, rather than our
fork of `briansmith/webpki` from GitHub. Since `rustls-webpki` includes
the change which was the initial motivation for the `linkerd/webpki`
fork (rustls/webpki#42), we can now depend on upstream.

Currently, we must take a Git dependency on `rustls-webpki`, since a
release including a fix for an issue (rustls/webpki#167) which prevents
`rustls-webpki` from parsing our test certificates has not yet been
published. Once v0.101.5 of `rustls-webpki` is published (PR see
rustls/webpki#170), we can remove the Git dep. For now, I've updated
`cargo-deny` to allow the Git dependency.

---

* use `rustls-webpki` instead of `linkerd/webpki` (linkerd/linkerd2-proxy#2465)

Signed-off-by: Eliza Weisman <[email protected]>
adamshawvipps pushed a commit to adamshawvipps/linkerd2 that referenced this pull request Sep 18, 2023
@hawkw @adamshawvipps
proxy: v2.209.0 (linkerd#11361)
2b0c1ea 
This commit changes the `linkerd-meshtls-rustls` crate to use the
upstream `rustls-webpki` crate, maintained by Rustls, rather than our
fork of `briansmith/webpki` from GitHub. Since `rustls-webpki` includes
the change which was the initial motivation for the `linkerd/webpki`
fork (rustls/webpki#42), we can now depend on upstream.

Currently, we must take a Git dependency on `rustls-webpki`, since a
release including a fix for an issue (rustls/webpki#167) which prevents
`rustls-webpki` from parsing our test certificates has not yet been
published. Once v0.101.5 of `rustls-webpki` is published (PR see
rustls/webpki#170), we can remove the Git dep. For now, I've updated
`cargo-deny` to allow the Git dependency.

---

* use `rustls-webpki` instead of `linkerd/webpki` (linkerd/linkerd2-proxy#2465)

Signed-off-by: Eliza Weisman <[email protected]>
Signed-off-by: Adam Shaw <[email protected]>
@djc djc mentioned this pull request Sep 20, 2023
Merged
@cpu cpu mentioned this pull request Sep 20, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hawkw hawkw hawkw approved these changes

@moparisthebest moparisthebest moparisthebest left review comments

@djc djc djc approved these changes

Assignees

@cpu cpu

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add a means to collect SANs from a certificate
5 participants
@cpu @djc @Geal @moparisthebest @hawkw