Remove common name parsing from NameIterator

This commit removes parsing of the subject common name field from `NameIterator`, since `rustls-webpki` does not actually verify subject common names except when enforcing name constraints. This fixes issues with common names in formats that `rustls-webpki` doesn't currently support, by removing this code entirely. Fixes rustls-webpki/webpki#167
rustls · Sep 7, 2023 · ac1740c · ac1740c
1 parent 7d31075
commit ac1740c
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 46 deletions.
diff --git a/src/der.rs b/src/der.rs
@@ -62,9 +62,9 @@ pub(crate) enum Tag {
     OctetString = 0x04,
     OID = 0x06,
     Enum = 0x0A,
-    UTF8String = 0x0C,
+    // UTF8String = 0x0C,
     Sequence = CONSTRUCTED | 0x10, // 0x30
-    Set = CONSTRUCTED | 0x11,      // 0x31
+    // Set = CONSTRUCTED | 0x11,      // 0x31
     UTCTime = 0x17,
     GeneralizedTime = 0x18,
 

diff --git a/src/subject_name/verify.rs b/src/subject_name/verify.rs
@@ -333,20 +333,9 @@ impl<'a> Iterator for NameIterator<'a> {
             }
         }
 
-        if let Some(subject_directory_name) = self.subject_directory_name.take() {
-            return Some(Ok(GeneralName::DirectoryName(subject_directory_name)));
-        }
-
-        if let Some(subject_common_name) = self.subject_common_name.take() {
-            return match common_name(subject_common_name) {
-                Ok(Some(cn)) => Some(Ok(GeneralName::DnsName(cn))),
-                Ok(None) => None,
-                // All the iterator fields should be `None` at this point
-                Err(err) => Some(Err(err)),
-            };
-        }
-
-        None
+        self.subject_directory_name
+            .take()
+            .map(|subject_directory_name| Ok(GeneralName::DirectoryName(subject_directory_name)))
     }
 }
 
@@ -445,33 +434,3 @@ impl<'a> FromDer<'a> for GeneralName<'a> {
 
     const TYPE_ID: DerTypeId = DerTypeId::GeneralName;
 }
-
-static COMMON_NAME: untrusted::Input = untrusted::Input::from(&[85, 4, 3]);
-
-fn common_name(input: untrusted::Input) -> Result<Option<untrusted::Input>, Error> {
-    let inner = &mut untrusted::Reader::new(input);
-    der::nested(
-        inner,
-        der::Tag::Set,
-        Error::TrailingData(DerTypeId::CommonNameOuter),
-        |tagged| {
-            der::nested(
-                tagged,
-                der::Tag::Sequence,
-                Error::TrailingData(DerTypeId::CommonNameInner),
-                |tagged| {
-                    while !tagged.at_end() {
-                        let name_oid = der::expect_tag(tagged, der::Tag::OID)?;
-                        if name_oid == COMMON_NAME {
-                            return der::expect_tag(tagged, der::Tag::UTF8String).map(Some);
-                        } else {
-                            // discard unused name value
-                            der::read_tag_and_get_value(tagged)?;
-                        }
-                    }
-                    Ok(None)
-                },
-            )
-        },
-    )
-}