diff options
| -rw-r--r-- | src/rust/cryptography-x509-verification/src/lib.rs | 38 | ||||
| -rw-r--r-- | src/rust/cryptography-x509-verification/src/ops.rs | 7 | ||||
| -rw-r--r-- | src/rust/cryptography-x509-verification/src/trust_store.rs | 9 | ||||
| -rw-r--r-- | src/rust/src/x509/verify.rs | 44 |
4 files changed, 55 insertions, 43 deletions
diff --git a/src/rust/cryptography-x509-verification/src/lib.rs b/src/rust/cryptography-x509-verification/src/lib.rs index 169226c..3649890 100644 --- a/src/rust/cryptography-x509-verification/src/lib.rs +++ b/src/rust/cryptography-x509-verification/src/lib.rs @@ -213,22 +213,22 @@ impl<'a, 'chain> NameChain<'a, 'chain> { } } -pub type Chain<'c, B> = Vec<VerificationCertificate<'c, B>>; +pub type Chain<'a, 'c, B> = Vec<&'a VerificationCertificate<'c, B>>; -pub fn verify<'chain, B: CryptoOps>( - leaf: &VerificationCertificate<'chain, B>, - intermediates: impl IntoIterator<Item = VerificationCertificate<'chain, B>>, - policy: &Policy<'_, B>, - store: &Store<'chain, B>, -) -> Result<Chain<'chain, B>, ValidationError> { - let builder = ChainBuilder::new(intermediates.into_iter().collect(), policy, store); +pub fn verify<'a, 'chain: 'a, B: CryptoOps>( + leaf: &'a VerificationCertificate<'chain, B>, + intermediates: &'a [&'a VerificationCertificate<'chain, B>], + policy: &'a Policy<'_, B>, + store: &'a Store<'chain, B>, +) -> Result<Chain<'a, 'chain, B>, ValidationError> { + let builder = ChainBuilder::new(intermediates, policy, store); let mut budget = Budget::new(); builder.build_chain(leaf, &mut budget) } struct ChainBuilder<'a, 'chain, B: CryptoOps> { - intermediates: Vec<VerificationCertificate<'chain, B>>, + intermediates: &'a [&'a VerificationCertificate<'chain, B>], policy: &'a Policy<'a, B>, store: &'a Store<'chain, B>, } @@ -252,9 +252,9 @@ impl ApplyNameConstraintStatus { } } -impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { +impl<'a, 'chain: 'a, B: CryptoOps> ChainBuilder<'a, 'chain, B> { fn new( - intermediates: Vec<VerificationCertificate<'chain, B>>, + intermediates: &'a [&'a VerificationCertificate<'chain, B>], policy: &'a Policy<'a, B>, store: &'a Store<'chain, B>, ) -> Self { @@ -266,7 +266,7 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { } fn potential_issuers( - &'a self, + &self, cert: &'a VerificationCertificate<'chain, B>, ) -> impl Iterator<Item = &'a VerificationCertificate<'chain, B>> + '_ { // TODO: Optimizations: @@ -274,19 +274,19 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { self.store .get_by_subject(&cert.certificate().tbs_cert.issuer) .iter() - .chain(self.intermediates.iter().filter(|&candidate| { + .chain(self.intermediates.iter().copied().filter(|&candidate| { candidate.certificate().subject() == cert.certificate().issuer() })) } fn build_chain_inner( &self, - working_cert: &VerificationCertificate<'chain, B>, + working_cert: &'a VerificationCertificate<'chain, B>, current_depth: u8, working_cert_extensions: &Extensions<'chain>, name_chain: NameChain<'_, 'chain>, budget: &mut Budget, - ) -> Result<Chain<'chain, B>, ValidationError> { + ) -> Result<Chain<'a, 'chain, B>, ValidationError> { if let Some(nc) = working_cert_extensions.get_extension(&NAME_CONSTRAINTS_OID) { name_chain.evaluate_constraints(&nc.value()?, budget)?; } @@ -294,7 +294,7 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { // Look in the store's root set to see if the working cert is listed. // If it is, we've reached the end. if self.store.contains(working_cert) { - return Ok(vec![working_cert.clone()]); + return Ok(vec![working_cert]); } // Check that our current depth does not exceed our policy-configured @@ -357,7 +357,7 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { budget, ) { Ok(mut chain) => { - chain.push(working_cert.clone()); + chain.push(working_cert); return Ok(chain); } // Immediately return on fatal error. @@ -387,9 +387,9 @@ impl<'a, 'chain, B: CryptoOps> ChainBuilder<'a, 'chain, B> { fn build_chain( &self, - leaf: &VerificationCertificate<'chain, B>, + leaf: &'a VerificationCertificate<'chain, B>, budget: &mut Budget, - ) -> Result<Chain<'chain, B>, ValidationError> { + ) -> Result<Chain<'a, 'chain, B>, ValidationError> { // Before anything else, check whether the given leaf cert // is well-formed according to our policy (and its underlying // certificate profile). diff --git a/src/rust/cryptography-x509-verification/src/ops.rs b/src/rust/cryptography-x509-verification/src/ops.rs index 807bce5..1b2f593 100644 --- a/src/rust/cryptography-x509-verification/src/ops.rs +++ b/src/rust/cryptography-x509-verification/src/ops.rs @@ -39,11 +39,6 @@ impl<B: CryptoOps> PartialEq for VerificationCertificate<'_, B> { } } impl<B: CryptoOps> Eq for VerificationCertificate<'_, B> {} -impl<B: CryptoOps> Clone for VerificationCertificate<'_, B> { - fn clone(&self) -> Self { - VerificationCertificate::new(self.cert.clone(), self.extra.clone()) - } -} pub trait CryptoOps { /// A public key type for this cryptographic backend. @@ -53,7 +48,7 @@ pub trait CryptoOps { type Err; /// Extra data that's passed around with the certificate. - type CertificateExtra: Clone; + type CertificateExtra; /// Extracts the public key from the given `Certificate` in /// a `Key` format known by the cryptographic backend, or `None` diff --git a/src/rust/cryptography-x509-verification/src/trust_store.rs b/src/rust/cryptography-x509-verification/src/trust_store.rs index 462b819..1d76bd5 100644 --- a/src/rust/cryptography-x509-verification/src/trust_store.rs +++ b/src/rust/cryptography-x509-verification/src/trust_store.rs @@ -22,7 +22,7 @@ impl<'a, B: CryptoOps> Store<'a, B> { by_subject .entry(cert.certificate().tbs_cert.subject.clone()) .or_default() - .push(cert.clone()); + .push(cert); } Store { by_subject } } @@ -51,9 +51,10 @@ mod tests { #[test] fn test_store() { let cert_pem = v1_cert_pem(); - let cert = VerificationCertificate::new(cert(&cert_pem), ()); - let store = Store::<'_, PublicKeyErrorOps>::new([cert.clone()]); + let cert1 = VerificationCertificate::new(cert(&cert_pem), ()); + let cert2 = VerificationCertificate::new(cert(&cert_pem), ()); + let store = Store::<'_, PublicKeyErrorOps>::new([cert1]); - assert!(store.contains(&cert)); + assert!(store.contains(&cert2)); } } diff --git a/src/rust/src/x509/verify.rs b/src/rust/src/x509/verify.rs index 9b1db24..2848095 100644 --- a/src/rust/src/x509/verify.rs +++ b/src/rust/src/x509/verify.rs @@ -260,17 +260,25 @@ impl PyClientVerifier { let policy = self.as_policy(); let store = self.store.get(); - let chain = cryptography_x509_verification::verify( - &VerificationCertificate::new( - leaf.get().raw.borrow_dependent().clone(), - leaf.clone_ref(py), - ), - intermediates.iter().map(|i| { + let intermediates = intermediates + .iter() + .map(|i| { VerificationCertificate::new( i.get().raw.borrow_dependent().clone(), i.clone_ref(py), ) - }), + }) + .collect::<Vec<_>>(); + let intermediate_refs = intermediates.iter().collect::<Vec<_>>(); + + let v = VerificationCertificate::new( + leaf.get().raw.borrow_dependent().clone(), + leaf.clone_ref(py), + ); + + let chain = cryptography_x509_verification::verify( + &v, + &intermediate_refs, policy, store.raw.borrow_dependent(), ) @@ -344,17 +352,25 @@ impl PyServerVerifier { let policy = self.as_policy(); let store = self.store.get(); - let chain = cryptography_x509_verification::verify( - &VerificationCertificate::new( - leaf.get().raw.borrow_dependent().clone(), - leaf.clone_ref(py), - ), - intermediates.iter().map(|i| { + let intermediates = intermediates + .iter() + .map(|i| { VerificationCertificate::new( i.get().raw.borrow_dependent().clone(), i.clone_ref(py), ) - }), + }) + .collect::<Vec<_>>(); + let intermediate_refs = intermediates.iter().collect::<Vec<_>>(); + + let v = VerificationCertificate::new( + leaf.get().raw.borrow_dependent().clone(), + leaf.clone_ref(py), + ); + + let chain = cryptography_x509_verification::verify( + &v, + &intermediate_refs, policy, store.raw.borrow_dependent(), ) |