Skip to content

Commit

Permalink
tests: fix webpki deprecations, remove allow.
Browse files Browse the repository at this point in the history
The upstream webpki deprecated the per-usage trust anchor representation
and end entity certificate verification functions. Instead, we now use
the general `TrustAnchor` type and invoke `verify_for_usage` with the
intended `KeyUsage`.
  • Loading branch information
cpu authored and est31 committed Aug 25, 2023
1 parent 6b109c5 commit 75c853f
Showing 1 changed file with 11 additions and 11 deletions.
22 changes: 11 additions & 11 deletions tests/webpki.rs
Original file line number Diff line number Diff line change
@@ -1,11 +1,9 @@
// TODO: we import deprecated webpki items here, get rid of them and allow this
#![allow(deprecated)]
#[cfg(feature = "x509-parser")]
use rcgen::{CertificateSigningRequest, DnValue};
use rcgen::{BasicConstraints, Certificate, CertificateParams, DnType, IsCa, KeyPair, RemoteKeyPair};
use rcgen::{KeyUsagePurpose, ExtendedKeyUsagePurpose, SerialNumber};
use rcgen::{CertificateRevocationList, CertificateRevocationListParams, RevocationReason, RevokedCertParams};
use webpki::{EndEntityCert, TlsServerTrustAnchors, TrustAnchor, BorrowedCertRevocationList, CertRevocationList, TlsClientTrustAnchors};
use webpki::{EndEntityCert, TrustAnchor, BorrowedCertRevocationList, CertRevocationList, KeyUsage};
use webpki::SignatureAlgorithm;
use webpki::{Time, DnsNameRef};

Expand Down Expand Up @@ -54,18 +52,19 @@ fn check_cert_ca<'a, 'b>(cert_der :&[u8], cert :&'a Certificate, ca_der :&[u8],
sign_fn :impl FnOnce(&'a Certificate, &'b [u8]) -> Vec<u8>) {
let trust_anchor = TrustAnchor::try_from_cert_der(&ca_der).unwrap();
let trust_anchor_list = &[trust_anchor];
let trust_anchors = TlsServerTrustAnchors(trust_anchor_list);
let end_entity_cert = EndEntityCert::try_from(cert_der).unwrap();

// Set time to Jan 10, 2004
let time = Time::from_seconds_since_unix_epoch(0x40_00_00_00);

// (1/3) Check whether the cert is valid
end_entity_cert.verify_is_valid_tls_server_cert(
end_entity_cert.verify_for_usage(
&[&cert_alg, &ca_alg],
&trust_anchors,
&trust_anchor_list[..],
&[],
time,
KeyUsage::server_auth(),
&[],
).expect("valid TLS server cert");

// (2/3) Check that the cert is valid for the given DNS name
Expand Down Expand Up @@ -485,17 +484,17 @@ fn test_webpki_crl_revoke() {
// Set up webpki's verification requirements.
let trust_anchor = TrustAnchor::try_from_cert_der(issuer_der.as_ref()).unwrap();
let trust_anchor_list = &[trust_anchor];
let trust_anchors = TlsClientTrustAnchors(trust_anchor_list);
let end_entity_cert = EndEntityCert::try_from(ee_der.as_ref()).unwrap();
let unix_time = 0x40_00_00_00;
let time = Time::from_seconds_since_unix_epoch(unix_time);

// The end entity cert should validate with the issuer without error.
end_entity_cert.verify_is_valid_tls_client_cert(
end_entity_cert.verify_for_usage(
&[&webpki::ECDSA_P256_SHA256],
&trust_anchors,
&trust_anchor_list[..],
&[],
time,
KeyUsage::client_auth(),
&[],
).expect("failed to validate ee cert with issuer");

Expand All @@ -520,11 +519,12 @@ fn test_webpki_crl_revoke() {
let crl = BorrowedCertRevocationList::from_der(&crl_der).unwrap();

// The end entity cert should **not** validate when we provide a CRL that revokes the EE cert.
let result = end_entity_cert.verify_is_valid_tls_client_cert(
let result = end_entity_cert.verify_for_usage(
&[&webpki::ECDSA_P256_SHA256],
&trust_anchors,
&trust_anchor_list[..],
&[],
time,
KeyUsage::client_auth(),
&[&crl],
);
assert!(matches!(result, Err(webpki::Error::CertRevoked)));
Expand Down

0 comments on commit 75c853f

Please sign in to comment.