fix: replace patched webpki with rustls-webpki

The replacement does not implement the certificate validity, but it is better to be honest and fail verification if there is no time keeping.
drogue-iot · Nov 9, 2023 · b7d4ca8 · b7d4ca8
1 parent 66e9093
commit b7d4ca8
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 18 deletions.
diff --git a/Cargo.toml b/Cargo.toml
@@ -27,9 +27,7 @@ embedded-io = "0.6"
 embedded-io-async = { version = "0.6", optional = true }
 embedded-io-adapters = { version = "0.6", optional = true }
 generic-array = { version = "0.14", default-features = false }
-#webpki = { version = "0.22.0", default-features = false }
-#webpki = { path = "../../webpki", default-features = false }
-webpki = { version = "0.21.4", git = "https://github.com/lulf/webpki", rev = "d5188bd8c0a2c9cb14ec7835e63253e793e720a1", default-features = false, optional = true }
+webpki = { package = "rustls-webpki", version = "0.101.7", default-features = false, optional = true }
 
 # Logging alternatives
 log = { version = "0.4", optional = true }

diff --git a/src/webpki.rs b/src/webpki.rs
@@ -10,8 +10,6 @@ use crate::TlsError;
 use core::marker::PhantomData;
 use digest::Digest;
 use heapless::Vec;
-use webpki::DnsNameRef;
-
 #[cfg(all(not(feature = "alloc"), feature = "webpki"))]
 impl TryInto<&'static webpki::SignatureAlgorithm> for SignatureScheme {
     type Error = TlsError;
@@ -194,8 +192,6 @@ fn verify_certificate(
             warn!("Error loading CA: {:?}", e);
             TlsError::DecodeError
         })?;
-        let anchors = &[trust];
-        let anchors = webpki::TLSServerTrustAnchors(anchors);
 
         trace!("We got {} certificate entries", certificate.entries.len());
 
@@ -210,26 +206,32 @@ fn verify_certificate(
                 let time = if let Some(now) = now {
                     webpki::Time::from_seconds_since_unix_epoch(now)
                 } else {
-                    // If no clock is provided, use certificate notAfter as the timestamp, if available
-                    if let Ok(validity) = cert.validity() {
-                        validity.not_after
-                    } else {
-                        webpki::Time::from_seconds_since_unix_epoch(0)
-                    }
+                    // If no clock is provided, the validity check will fail
+                    webpki::Time::from_seconds_since_unix_epoch(0)
                 };
                 info!("Certificate is loaded!");
-                match cert.verify_is_valid_tls_server_cert(ALL_SIGALGS, &anchors, &[], time) {
+                match cert.verify_for_usage(
+                    ALL_SIGALGS,
+                    &[trust],
+                    &[],
+                    time,
+                    webpki::KeyUsage::server_auth(),
+                    &[],
+                ) {
                     Ok(_) => verified = true,
                     Err(e) => {
                         warn!("Error verifying certificate: {:?}", e);
                     }
                 }
 
                 if let Some(server_name) = verify_host {
-                    match cert.verify_is_valid_for_dns_name(
-                        DnsNameRef::try_from_ascii_str(server_name).unwrap(),
-                    ) {
-                        Ok(_) => host_verified = true,
+                    match webpki::SubjectNameRef::try_from_ascii(server_name.as_bytes()) {
+                        Ok(subject) => match cert.verify_is_valid_for_subject_name(subject) {
+                            Ok(_) => host_verified = true,
+                            Err(e) => {
+                                warn!("Error verifying host: {:?}", e);
+                            }
+                        },
                         Err(e) => {
                             warn!("Error verifying host: {:?}", e);
                         }