From 6148818b92849676a75092764115823a7dc41064 Mon Sep 17 00:00:00 2001
From: Aumetra Weisman <aumetra@cryptolab.net>
Date: Mon, 14 Oct 2024 16:39:20 +0200
Subject: [PATCH] Migrate to `x509-cert`

---
 Cargo.toml | 14 +++++++++++---
 src/lib.rs | 44 ++++++++++++++++++++++++++------------------
 2 files changed, 37 insertions(+), 21 deletions(-)

diff --git a/Cargo.toml b/Cargo.toml
index 93cc952..4b0d36a 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -9,15 +9,23 @@ license = "MIT"
 readme = "README.md"
 
 [dependencies]
+const-oid = { version = "0.9.6", default-features = false, features = ["db"] }
 ring = { version = "0.17", default-features = false }
 rustls = { version = "0.23", default-features = false }
 tokio = { version = "1", default-features = false }
 tokio-postgres = { version = "0.7", default-features = false }
 tokio-rustls = { version = "0.26", default-features = false }
-x509-certificate = {version = "0.23", default-features = false }
+x509-cert = { version = "0.2.5", default-features = false, features = ["std"] }
 
 [dev-dependencies]
 env_logger = { version = "0.11", default-features = false }
 tokio = { version = "1", default-features = false, features = ["macros", "rt"] }
-tokio-postgres = { version = "0.7", default-features = false, features = ["runtime"] }
-rustls = { version = "0.23", default-features = false, features = ["std", "logging", "tls12", "ring"] }
+tokio-postgres = { version = "0.7", default-features = false, features = [
+  "runtime",
+] }
+rustls = { version = "0.23", default-features = false, features = [
+  "std",
+  "logging",
+  "tls12",
+  "ring",
+] }
diff --git a/src/lib.rs b/src/lib.rs
index 5fd02ce..17fea41 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -6,18 +6,22 @@ use std::{
     sync::Arc,
     task::{Context, Poll},
 };
-use DigestAlgorithm::{Sha1, Sha256, Sha384, Sha512};
 
+use const_oid::db::{
+    rfc5912::{
+        ECDSA_WITH_SHA_256, ECDSA_WITH_SHA_384, ID_SHA_1, ID_SHA_256, ID_SHA_384, ID_SHA_512,
+        SHA_1_WITH_RSA_ENCRYPTION, SHA_256_WITH_RSA_ENCRYPTION, SHA_384_WITH_RSA_ENCRYPTION,
+        SHA_512_WITH_RSA_ENCRYPTION,
+    },
+    rfc8410::ID_ED_25519,
+};
 use ring::digest;
 use rustls::pki_types::ServerName;
 use rustls::ClientConfig;
 use tokio::io::{AsyncRead, AsyncWrite, ReadBuf};
 use tokio_postgres::tls::{ChannelBinding, MakeTlsConnect, TlsConnect};
 use tokio_rustls::{client::TlsStream, TlsConnector};
-use x509_certificate::{DigestAlgorithm, SignatureAlgorithm, X509Certificate};
-use SignatureAlgorithm::{
-    EcdsaSha256, EcdsaSha384, Ed25519, NoSignature, RsaSha1, RsaSha256, RsaSha384, RsaSha512,
-};
+use x509_cert::{der::Decode, TbsCertificate};
 
 #[derive(Clone)]
 pub struct MakeRustlsConnect {
@@ -85,20 +89,24 @@ where
     fn channel_binding(&self) -> ChannelBinding {
         let (_, session) = self.0.get_ref();
         match session.peer_certificates() {
-            Some(certs) if !certs.is_empty() => X509Certificate::from_der(&certs[0])
+            Some(certs) if !certs.is_empty() => TbsCertificate::from_der(&certs[0])
                 .ok()
-                .and_then(|cert| cert.signature_algorithm())
-                .map(|algorithm| match algorithm {
-                    // Note: SHA1 is upgraded to SHA256 as per https://datatracker.ietf.org/doc/html/rfc5929#section-4.1
-                    RsaSha1 | RsaSha256 | EcdsaSha256 => &digest::SHA256,
-                    RsaSha384 | EcdsaSha384 => &digest::SHA384,
-                    RsaSha512 => &digest::SHA512,
-                    Ed25519 => &digest::SHA512,
-                    NoSignature(algo) => match algo {
-                        Sha1 | Sha256 => &digest::SHA256,
-                        Sha384 => &digest::SHA384,
-                        Sha512 => &digest::SHA512,
-                    },
+                .and_then(|cert| {
+                    let digest = match cert.signature.oid {
+                        // Note: SHA1 is upgraded to SHA256 as per https://datatracker.ietf.org/doc/html/rfc5929#section-4.1
+                        ID_SHA_1
+                        | ID_SHA_256
+                        | SHA_1_WITH_RSA_ENCRYPTION
+                        | SHA_256_WITH_RSA_ENCRYPTION
+                        | ECDSA_WITH_SHA_256 => &digest::SHA256,
+                        ID_SHA_384 | SHA_384_WITH_RSA_ENCRYPTION | ECDSA_WITH_SHA_384 => {
+                            &digest::SHA384
+                        }
+                        ID_SHA_512 | SHA_512_WITH_RSA_ENCRYPTION | ID_ED_25519 => &digest::SHA512,
+                        _ => return None,
+                    };
+
+                    Some(digest)
                 })
                 .map(|algorithm| {
                     let hash = digest::digest(algorithm, certs[0].as_ref());