Temporarily undo some renaming that can't be alised, to get back webp…

…ki 0.21.4 compat.

Make it easier to maintain support for Rustls 0.19.1 by restoring the webpki main branch to a
state compatible with webpki 0.21.4.

Cargo.toml

@@ -22,7 +22,7 @@ license-file = "LICENSE"
 name = "webpki"
 readme = "README.md"
 repository = "https://github.com/briansmith/webpki"
-version = "0.22.0"
+version = "0.21.4"
 
 include = [
     "Cargo.toml",

src/calendar.rs

@@ -67,7 +67,7 @@ fn days_before_year_since_unix_epoch(year: u64) -> Result<u64, Error> {
     // Unix epoch. It is likely that other software won't deal well with
     // certificates that have dates before the epoch.
     if year < 1970 {
-        return Err(Error::BadDerTime);
+        return Err(Error::BadDERTime);
     }
     let days_before_year_ad = days_before_year_ad(year);
     debug_assert!(days_before_year_ad >= DAYS_BEFORE_UNIX_EPOCH_AD);

src/cert.rs

@@ -49,16 +49,16 @@ pub(crate) fn parse_cert_internal<'a>(
     ee_or_ca: EndEntityOrCa<'a>,
     serial_number: fn(input: &mut untrusted::Reader<'_>) -> Result<(), Error>,
 ) -> Result<Cert<'a>, Error> {
-    let (tbs, signed_data) = cert_der.read_all(Error::BadDer, |cert_der| {
+    let (tbs, signed_data) = cert_der.read_all(Error::BadDER, |cert_der| {
         der::nested(
             cert_der,
             der::Tag::Sequence,
-            Error::BadDer,
+            Error::BadDER,
             signed_data::parse_signed_data,
         )
     })?;
 
-    tbs.read_all(Error::BadDer, |tbs| {
+    tbs.read_all(Error::BadDER, |tbs| {
         version3(tbs)?;
         serial_number(tbs)?;
 
@@ -110,7 +110,7 @@ pub(crate) fn parse_cert_internal<'a>(
                     tagged,
                     der::Tag::Sequence,
                     der::Tag::Sequence,
-                    Error::BadDer,
+                    Error::BadDER,
                     |extension| {
                         let extn_id = der::expect_tag_and_get_value(extension, der::Tag::OID)?;
                         let critical = der::optional_boolean(extension)?;
@@ -154,7 +154,7 @@ pub fn certificate_serial_number(input: &mut untrusted::Reader) -> Result<(), Er
 
     let value = der::positive_integer(input)?;
     if value.big_endian_without_leading_zero().len() > 20 {
-        return Err(Error::BadDer);
+        return Err(Error::BadDER);
     }
     Ok(())
 }
@@ -215,7 +215,7 @@ fn remember_extension<'a>(
         }
         None => {
             // All the extensions that we care about are wrapped in a SEQUENCE.
-            let sequence_value = value.read_all(Error::BadDer, |value| {
+            let sequence_value = value.read_all(Error::BadDER, |value| {
                 der::expect_tag_and_get_value(value, der::Tag::Sequence)
             })?;
             *out = Some(sequence_value);

src/der.rs

@@ -23,7 +23,7 @@ pub fn expect_tag_and_get_value<'a>(
     input: &mut untrusted::Reader<'a>,
     tag: Tag,
 ) -> Result<untrusted::Input<'a>, Error> {
-    ring::io::der::expect_tag_and_get_value(input, tag).map_err(|_| Error::BadDer)
+    ring::io::der::expect_tag_and_get_value(input, tag).map_err(|_| Error::BadDER)
 }
 
 pub struct Value<'a> {
@@ -39,7 +39,7 @@ impl<'a> Value<'a> {
 pub fn expect_tag<'a>(input: &mut untrusted::Reader<'a>, tag: Tag) -> Result<Value<'a>, Error> {
     let (actual_tag, value) = read_tag_and_get_value(input)?;
     if usize::from(tag) != usize::from(actual_tag) {
-        return Err(Error::BadDer);
+        return Err(Error::BadDER);
     }
 
     Ok(Value { value })
@@ -49,7 +49,7 @@ pub fn expect_tag<'a>(input: &mut untrusted::Reader<'a>, tag: Tag) -> Result<Val
 pub fn read_tag_and_get_value<'a>(
     input: &mut untrusted::Reader<'a>,
 ) -> Result<(u8, untrusted::Input<'a>), Error> {
-    ring::io::der::read_tag_and_get_value(input).map_err(|_| Error::BadDer)
+    ring::io::der::read_tag_and_get_value(input).map_err(|_| Error::BadDER)
 }
 
 // TODO: investigate taking decoder as a reference to reduce generated code
@@ -78,10 +78,10 @@ where
 pub fn bit_string_with_no_unused_bits<'a>(
     input: &mut untrusted::Reader<'a>,
 ) -> Result<untrusted::Input<'a>, Error> {
-    nested(input, Tag::BitString, Error::BadDer, |value| {
-        let unused_bits_at_end = value.read_byte().map_err(|_| Error::BadDer)?;
+    nested(input, Tag::BitString, Error::BadDER, |value| {
+        let unused_bits_at_end = value.read_byte().map_err(|_| Error::BadDER)?;
         if unused_bits_at_end != 0 {
-            return Err(Error::BadDer);
+            return Err(Error::BadDER);
         }
         Ok(value.read_bytes_to_end())
     })
@@ -93,21 +93,21 @@ pub fn optional_boolean(input: &mut untrusted::Reader) -> Result<bool, Error> {
     if !input.peek(Tag::Boolean.into()) {
         return Ok(false);
     }
-    nested(input, Tag::Boolean, Error::BadDer, |input| {
+    nested(input, Tag::Boolean, Error::BadDER, |input| {
         match input.read_byte() {
             Ok(0xff) => Ok(true),
             Ok(0x00) => Ok(false),
-            _ => Err(Error::BadDer),
+            _ => Err(Error::BadDER),
         }
     })
 }
 
 pub fn positive_integer<'a>(input: &'a mut untrusted::Reader) -> Result<Positive<'a>, Error> {
-    ring::io::der::positive_integer(input).map_err(|_| Error::BadDer)
+    ring::io::der::positive_integer(input).map_err(|_| Error::BadDER)
 }
 
 pub fn small_nonnegative_integer(input: &mut untrusted::Reader) -> Result<u8, Error> {
-    ring::io::der::small_nonnegative_integer(input).map_err(|_| Error::BadDer)
+    ring::io::der::small_nonnegative_integer(input).map_err(|_| Error::BadDER)
 }
 
 pub fn time_choice(input: &mut untrusted::Reader) -> Result<time::Time, Error> {
@@ -120,24 +120,24 @@ pub fn time_choice(input: &mut untrusted::Reader) -> Result<time::Time, Error> {
 
     fn read_digit(inner: &mut untrusted::Reader) -> Result<u64, Error> {
         const DIGIT: core::ops::RangeInclusive<u8> = b'0'..=b'9';
-        let b = inner.read_byte().map_err(|_| Error::BadDerTime)?;
+        let b = inner.read_byte().map_err(|_| Error::BadDERTime)?;
         if DIGIT.contains(&b) {
             return Ok(u64::from(b - DIGIT.start()));
         }
-        Err(Error::BadDerTime)
+        Err(Error::BadDERTime)
     }
 
     fn read_two_digits(inner: &mut untrusted::Reader, min: u64, max: u64) -> Result<u64, Error> {
         let hi = read_digit(inner)?;
         let lo = read_digit(inner)?;
         let value = (hi * 10) + lo;
         if value < min || value > max {
-            return Err(Error::BadDerTime);
+            return Err(Error::BadDERTime);
         }
         Ok(value)
     }
 
-    nested(input, expected_tag, Error::BadDer, |value| {
+    nested(input, expected_tag, Error::BadDER, |value| {
         let (year_hi, year_lo) = if is_utc_time {
             let lo = read_two_digits(value, 0, 99)?;
             let hi = if lo >= 50 { 19 } else { 20 };
@@ -156,9 +156,9 @@ pub fn time_choice(input: &mut untrusted::Reader) -> Result<time::Time, Error> {
         let minutes = read_two_digits(value, 0, 59)?;
         let seconds = read_two_digits(value, 0, 59)?;
 
-        let time_zone = value.read_byte().map_err(|_| Error::BadDerTime)?;
+        let time_zone = value.read_byte().map_err(|_| Error::BadDERTime)?;
         if time_zone != b'Z' {
-            return Err(Error::BadDerTime);
+            return Err(Error::BadDERTime);
         }
 
         calendar::time_from_ymdhms_utc(year, month, day_of_month, hours, minutes, seconds)

src/end_entity.rs

@@ -13,9 +13,10 @@
 // OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
 use crate::{
-    cert, name, signed_data, verify_cert, DnsNameRef, Error, SignatureAlgorithm, Time,
-    TlsClientTrustAnchors, TlsServerTrustAnchors,
+    cert, name, signed_data, verify_cert, DnsNameRef, Error, SignatureAlgorithm,
+    TLSClientTrustAnchors, TLSServerTrustAnchors, Time,
 };
+use core::convert::TryFrom;
 
 /// An end-entity certificate.
 ///
@@ -56,7 +57,7 @@ pub struct EndEntityCert<'a> {
     inner: cert::Cert<'a>,
 }
 
-impl<'a> core::convert::TryFrom<&'a [u8]> for EndEntityCert<'a> {
+impl<'a> TryFrom<&'a [u8]> for EndEntityCert<'a> {
     type Error = Error;
 
     /// Parse the ASN.1 DER-encoded X.509 encoding of the certificate
@@ -72,6 +73,12 @@ impl<'a> core::convert::TryFrom<&'a [u8]> for EndEntityCert<'a> {
 }
 
 impl<'a> EndEntityCert<'a> {
+    /// Deprecated. Use `TryFrom::try_from`.
+    #[deprecated(note = "Use TryFrom::try_from")]
+    pub fn from(cert_der: &'a [u8]) -> Result<Self, Error> {
+        TryFrom::try_from(cert_der)
+    }
+
     pub(super) fn inner(&self) -> &cert::Cert {
         &self.inner
     }
@@ -89,7 +96,7 @@ impl<'a> EndEntityCert<'a> {
     pub fn verify_is_valid_tls_server_cert(
         &self,
         supported_sig_algs: &[&SignatureAlgorithm],
-        &TlsServerTrustAnchors(trust_anchors): &TlsServerTrustAnchors,
+        &TLSServerTrustAnchors(trust_anchors): &TLSServerTrustAnchors,
         intermediate_certs: &[&[u8]],
         time: Time,
     ) -> Result<(), Error> {
@@ -121,7 +128,7 @@ impl<'a> EndEntityCert<'a> {
     pub fn verify_is_valid_tls_client_cert(
         &self,
         supported_sig_algs: &[&SignatureAlgorithm],
-        &TlsClientTrustAnchors(trust_anchors): &TlsClientTrustAnchors,
+        &TLSClientTrustAnchors(trust_anchors): &TLSClientTrustAnchors,
         intermediate_certs: &[&[u8]],
         time: Time,
     ) -> Result<(), Error> {

src/error.rs

@@ -18,10 +18,12 @@ use core::fmt;
 #[derive(Clone, Copy, Debug, PartialEq)]
 pub enum Error {
     /// The encoding of some ASN.1 DER-encoded item is invalid.
-    BadDer,
+    // TODO: Rename to `BadDer` in the next release.
+    BadDER,
 
     /// The encoding of an ASN.1 DER-encoded time is invalid.
-    BadDerTime,
+    // TODO: Rename to `BadDerTime` in the next release.
+    BadDERTime,
 
     /// A CA certificate is being used as an end-entity certificate.
     CaUsedAsEndEntity,

src/lib.rs

@@ -55,7 +55,7 @@ pub use {
         ECDSA_P384_SHA384, ED25519,
     },
     time::Time,
-    trust_anchor::{TlsClientTrustAnchors, TlsServerTrustAnchors, TrustAnchor},
+    trust_anchor::{TLSClientTrustAnchors, TLSServerTrustAnchors, TrustAnchor},
 };
 
 #[cfg(feature = "alloc")]
@@ -80,11 +80,3 @@ pub type DNSNameRef<'a> = DnsNameRef<'a>;
 #[deprecated(note = "use InvalidDnsNameError")]
 #[allow(missing_docs, unknown_lints, clippy::upper_case_acronyms)]
 pub type InvalidDNSNameError = InvalidDnsNameError;
-
-#[deprecated(note = "use TlsServerTrustAnchors")]
-#[allow(missing_docs, unknown_lints, clippy::upper_case_acronyms)]
-pub type TLSServerTrustAnchors<'a> = TlsServerTrustAnchors<'a>;
-
-#[deprecated(note = "use TlsClientTrustAnchors")]
-#[allow(missing_docs, unknown_lints, clippy::upper_case_acronyms)]
-pub type TLSClientTrustAnchors<'a> = TlsClientTrustAnchors<'a>;

src/name/ip_address.rs

@@ -28,18 +28,18 @@ pub(super) fn presented_id_matches_constraint(
     constraint: untrusted::Input,
 ) -> Result<bool, Error> {
     if name.len() != 4 && name.len() != 16 {
-        return Err(Error::BadDer);
+        return Err(Error::BadDER);
     }
     if constraint.len() != 8 && constraint.len() != 32 {
-        return Err(Error::BadDer);
+        return Err(Error::BadDER);
     }
 
     // an IPv4 address never matches an IPv6 constraint, and vice versa.
     if name.len() * 2 != constraint.len() {
         return Ok(false);
     }
 
-    let (constraint_address, constraint_mask) = constraint.read_all(Error::BadDer, |value| {
+    let (constraint_address, constraint_mask) = constraint.read_all(Error::BadDER, |value| {
         let address = value.read_bytes(constraint.len() / 2).unwrap();
         let mask = value.read_bytes(constraint.len() / 2).unwrap();
         Ok((address, mask))

src/name/verify.rs

@@ -40,7 +40,7 @@ pub fn verify_cert_dns_name(
                         }
                         Some(false) => (),
                         None => {
-                            return NameIteration::Stop(Err(Error::BadDer));
+                            return NameIteration::Stop(Err(Error::BadDER));
                         }
                     }
                 }
@@ -70,7 +70,7 @@ pub fn check_name_constraints(
         if !inner.peek(subtrees_tag.into()) {
             return Ok(None);
         }
-        let subtrees = der::nested(inner, subtrees_tag, Error::BadDer, |tagged| {
+        let subtrees = der::nested(inner, subtrees_tag, Error::BadDER, |tagged| {
             der::expect_tag_and_get_value(tagged, der::Tag::Sequence)
         })?;
         Ok(Some(subtrees))
@@ -152,7 +152,7 @@ fn check_presented_id_conforms_to_constraints_in_subtree(
             input: &mut untrusted::Reader<'b>,
         ) -> Result<GeneralName<'b>, Error> {
             let general_subtree = der::expect_tag_and_get_value(input, der::Tag::Sequence)?;
-            general_subtree.read_all(Error::BadDer, |subtree| general_name(subtree))
+            general_subtree.read_all(Error::BadDER, |subtree| general_name(subtree))
         }
 
         let base = match general_subtree(&mut constraints) {
@@ -164,7 +164,7 @@ fn check_presented_id_conforms_to_constraints_in_subtree(
 
         let matches = match (name, base) {
             (GeneralName::DnsName(name), GeneralName::DnsName(base)) => {
-                dns_name::presented_id_matches_constraint(name, base).ok_or(Error::BadDer)
+                dns_name::presented_id_matches_constraint(name, base).ok_or(Error::BadDER)
             }
 
             (GeneralName::DirectoryName(name), GeneralName::DirectoryName(base)) => Ok(
@@ -322,7 +322,7 @@ fn general_name<'a>(input: &mut untrusted::Reader<'a>) -> Result<GeneralName<'a>
         | UNIFORM_RESOURCE_IDENTIFIER_TAG
         | REGISTERED_ID_TAG => GeneralName::Unsupported(tag & !(CONTEXT_SPECIFIC | CONSTRUCTED)),
 
-        _ => return Err(Error::BadDer),
+        _ => return Err(Error::BadDER),
     };
     Ok(name)
 }