Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tests: fix webpki CRL test, deprecations. #142

Merged
merged 2 commits into from
Aug 25, 2023
Merged

tests: fix webpki CRL test, deprecations. #142

merged 2 commits into from
Aug 25, 2023

Conversation

cpu
Copy link
Member

@cpu cpu commented Aug 24, 2023

tests: fix webpki CRL test.

Previously the test_crl fn generated a certificate revocation list that had a revoked certificate entry with the serial number 0xC0FFEE - this constant has a binary representation of 110000001111111111101110, where the MSB is 1. This makes the serial number negative, in contradiction to RFC 5280's requirements for serial numbers.

The Yasna-based encoder that rcgen uses for emitting the serial number accounted for this by prepending 0x00 automatically. This should have resulted in a failure to find the literal serial 0xC0FFEE in the webpki CRL, except that webpki was incorrectly canonicalizing the serial number for the CRL representation, meaning the 0x00C0FFEE serial emitted by rcgen was stored as 0xC0FFEE, matching our lookup and allowing the test to pass.

In Webpki v0.101.2 we removed the inappropriate canonicalization (rustls/webpki@e9e4955), meaning the rcgen emitted serial of 0x00C0FFEE was stored as-is, and a lookup for 0xC0FFEE no longer found a revoked certificate, making the test fail.

This commit fixes the above by explicitly using 0x00C0FFEE as the serial number used for encoding of the revoked certificate's serial, and the lookup operation.

Resolves #141

tests: fix webpki deprecations, remove allow.

The upstream webpki deprecated the per-usage trust anchor representation and end entity certificate verification functions. Instead, we now use the general TrustAnchor type and invoke verify_for_usage with the intended KeyUsage.

@cpu
tests: fix webpki CRL test.
1896cff 
Previously the `test_crl` fn generated a certificate revocation list
that had a revoked certificate entry with the serial number `0xC0FFEE`
- this constant has a binary representation of
`110000001111111111101110`, where the MSB is 1. This makes the serial
number negative, in contradiction to RFC 5280's requirements for serial
numbers.

The Yasna-based encoder that rcgen uses for emitting the serial
number accounted for this by prepending 0x00 automatically. This should
have resulted in a failure to find the literal serial `0xC0FFEE` in the
webpki CRL, except that webpki was incorrectly canonicalizing the serial
number for the CRL representation, meaning the `0x00C0FFEE` serial
emitted by rcgen was stored as `0xC0FFEE`, matching our lookup and
allowing the test to pass.

In Webpki v0.101.2 we removed the inappropriate canonicalization,
meaning the rcgen emitted serial of `0x00C0FFEE` was stored as-is, and
a lookup for `0xC0FFEE` no longer found a revoked certificate, making
the test fail.

This commit fixes the above by explicitly using `0x00C0FFEE` as the
serial number used for encoding of the revoked certificate's serial, and
the lookup operation.
@cpu
tests: fix webpki deprecations, remove allow.
d9f1688 
The upstream webpki deprecated the per-usage trust anchor representation
and end entity certificate verification functions. Instead, we now use
the general `TrustAnchor` type and invoke `verify_for_usage` with the
intended `KeyUsage`.
@cpu cpu self-assigned this Aug 24, 2023
djc
djc approved these changes Aug 24, 2023
View reviewed changes
Copy link
Member

@djc djc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@cpu cpu assigned est31 and unassigned cpu Aug 24, 2023
@cpu
Copy link
Member Author

cpu commented Aug 24, 2023

@est31 Holding off on merging this on your +1 per your expressed preference.

@cpu cpu mentioned this pull request Aug 24, 2023
Merged
This was referenced Aug 24, 2023
Closed
Merged
@cpu cpu mentioned this pull request Aug 24, 2023
Merged
@est31
Copy link
Member

est31 commented Aug 25, 2023

Mhh yeah it seems that the problem was like the one I described in this old comment: briansmith/webpki#232 (comment)

@est31 est31 merged commit 75c853f into rustls:master Aug 25, 2023
6 checks passed
@cpu cpu deleted the cpu-141-fix-crl-test branch August 25, 2023 13:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@est31 est31 est31 approved these changes

@djc djc djc approved these changes

Assignees

@est31 est31

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Fix webpki tests after update
3 participants
@cpu @est31 @djc