Skip to content

Commit

Permalink
Upgrade to *ring* 0.17 and untrusted 0.9.
Browse files Browse the repository at this point in the history
untrusted 0.9 is used by *ring*. untrusted stopped providing a `PartialEq`
for `Input` in 0.9; this was the driver for all the code changes.
  • Loading branch information
briansmith committed Oct 2, 2023
1 parent 301128f commit 16a2638
Show file tree
Hide file tree
Showing 6 changed files with 32 additions and 20 deletions.
4 changes: 2 additions & 2 deletions Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -56,8 +56,8 @@ alloc = ["ring/alloc"]
std = ["alloc"]

[dependencies]
ring = { version = "0.16.19", default-features = false }
untrusted = "0.7.1"
ring = { version = "0.17.0", default-features = false }
untrusted = "0.9"

[dev-dependencies]
base64 = "0.9.1"
Expand Down
4 changes: 2 additions & 2 deletions src/cert.rs
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@
// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

use crate::{der, signed_data, Error};
use crate::{der, equal, signed_data, Error};

pub enum EndEntityOrCa<'a> {
EndEntity,
Expand Down Expand Up @@ -66,7 +66,7 @@ pub(crate) fn parse_cert_internal<'a>(
// TODO: In mozilla::pkix, the comparison is done based on the
// normalized value (ignoring whether or not there is an optional NULL
// parameter for RSA-based algorithms), so this may be too strict.
if signature != signed_data.algorithm {
if !equal(signature, signed_data.algorithm) {
return Err(Error::SignatureAlgorithmMismatch);
}

Expand Down
6 changes: 6 additions & 0 deletions src/lib.rs
Original file line number Diff line number Diff line change
Expand Up @@ -95,3 +95,9 @@ pub type TLSServerTrustAnchors<'a> = TlsServerTrustAnchors<'a>;
#[deprecated(note = "use TlsClientTrustAnchors")]
#[allow(unknown_lints, clippy::upper_case_acronyms)]
pub type TLSClientTrustAnchors<'a> = TlsClientTrustAnchors<'a>;

// We don't operate on secret data so a convenient comparison function is warranted.
#[must_use]
fn equal(a: untrusted::Input, b: untrusted::Input) -> bool {
a.as_slice_less_safe() == b.as_slice_less_safe()
}
4 changes: 2 additions & 2 deletions src/name/verify.rs
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ use super::{
};
use crate::{
cert::{Cert, EndEntityOrCa},
der, Error,
der, equal, Error,
};

pub fn verify_cert_dns_name(
Expand Down Expand Up @@ -234,7 +234,7 @@ fn presented_directory_name_matches_constraint(
subtrees: Subtrees,
) -> bool {
match subtrees {
Subtrees::PermittedSubtrees => name == constraint,
Subtrees::PermittedSubtrees => equal(name, constraint),
Subtrees::ExcludedSubtrees => true,
}
}
Expand Down
17 changes: 10 additions & 7 deletions src/signed_data.rs
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@
// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

use crate::{der, Error};
use crate::{der, equal, Error};
use ring::signature;

/// X.509 certificates and related items that are signed are almost always
Expand Down Expand Up @@ -313,7 +313,7 @@ struct AlgorithmIdentifier {

impl AlgorithmIdentifier {
fn matches_algorithm_id_value(&self, encoded: untrusted::Input) -> bool {
encoded == self.asn1_id_value
equal(encoded, self.asn1_id_value)
}
}

Expand Down Expand Up @@ -461,10 +461,12 @@ mod tests {
let tsd = parse_test_signed_data(file_contents);
let signature = untrusted::Input::from(&tsd.signature);
assert_eq!(
Err(expected_error),
signature.read_all(Error::BadDer, |input| {
der::bit_string_with_no_unused_bits(input)
})
expected_error,
signature
.read_all(Error::BadDer, |input| {
der::bit_string_with_no_unused_bits(input)
})
.unwrap_err()
);
}

Expand All @@ -482,10 +484,11 @@ mod tests {
let tsd = parse_test_signed_data(file_contents);
let spki = untrusted::Input::from(&tsd.spki);
assert_eq!(
Err(expected_error),
expected_error,
spki.read_all(Error::BadDer, |input| {
der::expect_tag_and_get_value(input, der::Tag::Sequence)
})
.unwrap_err()
);
}

Expand Down
17 changes: 10 additions & 7 deletions src/verify_cert.rs
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ use core::default::Default;
use crate::{
budget::Budget,
cert::{self, Cert, EndEntityOrCa},
der,
der, equal,
error::ErrorOrInternalError,
name, signed_data, time, Error, SignatureAlgorithm, TrustAnchor,
};
Expand Down Expand Up @@ -89,7 +89,7 @@ fn build_chain_inner(

match loop_while_non_fatal_error(trust_anchors, |trust_anchor: &TrustAnchor| {
let trust_anchor_subject = untrusted::Input::from(trust_anchor.subject);
if cert.issuer != trust_anchor_subject {
if !equal(cert.issuer, trust_anchor_subject) {
return Err(Error::UnknownIssuer.into());
}

Expand Down Expand Up @@ -118,15 +118,15 @@ fn build_chain_inner(
let potential_issuer =
cert::parse_cert(untrusted::Input::from(cert_der), EndEntityOrCa::Ca(cert))?;

if potential_issuer.subject != cert.issuer {
if !equal(potential_issuer.subject, cert.issuer) {
return Err(Error::UnknownIssuer.into());
}

// Prevent loops; see RFC 4158 section 5.2.
let mut prev = cert;
loop {
if potential_issuer.spki.value() == prev.spki.value()
&& potential_issuer.subject == prev.subject
if equal(potential_issuer.spki.value(), prev.spki.value())
&& equal(potential_issuer.subject, prev.subject)
{
return Err(Error::UnknownIssuer.into());
}
Expand Down Expand Up @@ -361,7 +361,7 @@ fn check_eku(
Some(input) => {
loop {
let value = der::expect_tag_and_get_value(input, der::Tag::OID)?;
if value == required_eku_if_present.oid_value {
if equal(value, required_eku_if_present.oid_value) {
input.skip_to_end();
break;
}
Expand All @@ -381,7 +381,10 @@ fn check_eku(
// important that id-kp-OCSPSigning is explicit so that a normal
// end-entity certificate isn't able to sign trusted OCSP responses
// for itself or for other certificates issued by its issuing CA.
if required_eku_if_present.oid_value == EKU_OCSP_SIGNING.oid_value {
if equal(
required_eku_if_present.oid_value,
EKU_OCSP_SIGNING.oid_value,
) {
return Err(Error::RequiredEkuNotFound);
}

Expand Down

0 comments on commit 16a2638

Please sign in to comment.