From 1896cffaae2d8ccb0c4e7c06eb7904be3856dbaa Mon Sep 17 00:00:00 2001
From: Daniel McCarney <daniel@binaryparadox.net>
Date: Thu, 24 Aug 2023 08:59:29 -0400
Subject: [PATCH 1/2] tests: fix webpki CRL test.

Previously the `test_crl` fn generated a certificate revocation list
that had a revoked certificate entry with the serial number `0xC0FFEE`
- this constant has a binary representation of
`110000001111111111101110`, where the MSB is 1. This makes the serial
number negative, in contradiction to RFC 5280's requirements for serial
numbers.

The Yasna-based encoder that rcgen uses for emitting the serial
number accounted for this by prepending 0x00 automatically. This should
have resulted in a failure to find the literal serial `0xC0FFEE` in the
webpki CRL, except that webpki was incorrectly canonicalizing the serial
number for the CRL representation, meaning the `0x00C0FFEE` serial
emitted by rcgen was stored as `0xC0FFEE`, matching our lookup and
allowing the test to pass.

In Webpki v0.101.2 we removed the inappropriate canonicalization,
meaning the rcgen emitted serial of `0x00C0FFEE` was stored as-is, and
a lookup for `0xC0FFEE` no longer found a revoked certificate, making
the test fail.

This commit fixes the above by explicitly using `0x00C0FFEE` as the
serial number used for encoding of the revoked certificate's serial, and
the lookup operation.
---
 tests/util.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/util.rs b/tests/util.rs
index c8f1ebad..6c4ca298 100644
--- a/tests/util.rs
+++ b/tests/util.rs
@@ -82,7 +82,7 @@ pub fn test_crl() -> (CertificateRevocationList, Certificate) {
 	let now = OffsetDateTime::now_utc();
 	let next_week = now + Duration::weeks(1);
 	let revoked_cert = RevokedCertParams{
-		serial_number: SerialNumber::from_slice(&[0xC0, 0xFF, 0xEE]),
+		serial_number: SerialNumber::from_slice(&[0x00, 0xC0, 0xFF, 0xEE]),
 		revocation_time: now,
 		reason_code: Some(RevocationReason::KeyCompromise),
 		invalidity_date: None,

From d9f1688ec14fbaa9ce369bcf61617bb65242bbb8 Mon Sep 17 00:00:00 2001
From: Daniel McCarney <daniel@binaryparadox.net>
Date: Thu, 24 Aug 2023 09:18:32 -0400
Subject: [PATCH 2/2] tests: fix webpki deprecations, remove allow.

The upstream webpki deprecated the per-usage trust anchor representation
and end entity certificate verification functions. Instead, we now use
the general `TrustAnchor` type and invoke `verify_for_usage` with the
intended `KeyUsage`.
---
 tests/webpki.rs | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/tests/webpki.rs b/tests/webpki.rs
index f7d47612..7b809622 100644
--- a/tests/webpki.rs
+++ b/tests/webpki.rs
@@ -1,11 +1,9 @@
-// TODO: we import deprecated webpki items here, get rid of them and allow this
-#![allow(deprecated)]
 #[cfg(feature = "x509-parser")]
 use rcgen::{CertificateSigningRequest, DnValue};
 use rcgen::{BasicConstraints, Certificate, CertificateParams, DnType, IsCa, KeyPair, RemoteKeyPair};
 use rcgen::{KeyUsagePurpose, ExtendedKeyUsagePurpose, SerialNumber};
 use rcgen::{CertificateRevocationList, CertificateRevocationListParams, RevocationReason, RevokedCertParams};
-use webpki::{EndEntityCert, TlsServerTrustAnchors, TrustAnchor, BorrowedCertRevocationList, CertRevocationList, TlsClientTrustAnchors};
+use webpki::{EndEntityCert, TrustAnchor, BorrowedCertRevocationList, CertRevocationList, KeyUsage};
 use webpki::SignatureAlgorithm;
 use webpki::{Time, DnsNameRef};
 
@@ -54,18 +52,19 @@ fn check_cert_ca<'a, 'b>(cert_der :&[u8], cert :&'a Certificate, ca_der :&[u8],
 		sign_fn :impl FnOnce(&'a Certificate, &'b [u8]) -> Vec<u8>) {
 	let trust_anchor = TrustAnchor::try_from_cert_der(&ca_der).unwrap();
 	let trust_anchor_list = &[trust_anchor];
-	let trust_anchors = TlsServerTrustAnchors(trust_anchor_list);
 	let end_entity_cert = EndEntityCert::try_from(cert_der).unwrap();
 
 	// Set time to Jan 10, 2004
 	let time = Time::from_seconds_since_unix_epoch(0x40_00_00_00);
 
 	// (1/3) Check whether the cert is valid
-	end_entity_cert.verify_is_valid_tls_server_cert(
+	end_entity_cert.verify_for_usage(
 		&[&cert_alg, &ca_alg],
-		&trust_anchors,
+		&trust_anchor_list[..],
 		&[],
 		time,
+		KeyUsage::server_auth(),
+		&[],
 	).expect("valid TLS server cert");
 
 	// (2/3) Check that the cert is valid for the given DNS name
@@ -485,17 +484,17 @@ fn test_webpki_crl_revoke() {
 	// Set up webpki's verification requirements.
 	let trust_anchor = TrustAnchor::try_from_cert_der(issuer_der.as_ref()).unwrap();
 	let trust_anchor_list = &[trust_anchor];
-	let trust_anchors = TlsClientTrustAnchors(trust_anchor_list);
 	let end_entity_cert = EndEntityCert::try_from(ee_der.as_ref()).unwrap();
 	let unix_time = 0x40_00_00_00;
 	let time = Time::from_seconds_since_unix_epoch(unix_time);
 
 	// The end entity cert should validate with the issuer without error.
-	end_entity_cert.verify_is_valid_tls_client_cert(
+	end_entity_cert.verify_for_usage(
 		&[&webpki::ECDSA_P256_SHA256],
-		&trust_anchors,
+		&trust_anchor_list[..],
 		&[],
 		time,
+		KeyUsage::client_auth(),
 		&[],
 	).expect("failed to validate ee cert with issuer");
 
@@ -520,11 +519,12 @@ fn test_webpki_crl_revoke() {
 	let crl = BorrowedCertRevocationList::from_der(&crl_der).unwrap();
 
 	// The end entity cert should **not** validate when we provide a CRL that revokes the EE cert.
-	let result = end_entity_cert.verify_is_valid_tls_client_cert(
+	let result = end_entity_cert.verify_for_usage(
 		&[&webpki::ECDSA_P256_SHA256],
-		&trust_anchors,
+		&trust_anchor_list[..],
 		&[],
 		time,
+		KeyUsage::client_auth(),
 		&[&crl],
 	);
 	assert!(matches!(result, Err(webpki::Error::CertRevoked)));