use rustls-webpki instead of linkerd/webpki

hawkw · hawkw · commit 85587359fc28 · 2023-09-01T11:34:30.000-07:00
This commit changes the `linkerd-meshtls-rustls` crate to use the upstream `rustls-webpki` crate, maintained by Rustls, rather than our fork of `briansmith/webpki` from GitHub. Since `rustls-webpki` includes the change which was the initial motivation for the `linkerd/webpki` fork (rustls/webpki#42), we can now depend on upstream.
diff --git a/Cargo.lock b/Cargo.lock
@@ -1408,11 +1408,11 @@ dependencies = [
  "linkerd-tls-test-util",
  "ring",
  "rustls-pemfile",
+ "rustls-webpki",
  "thiserror",
  "tokio",
  "tokio-rustls",
  "tracing",
- "webpki",
 ]
 
 [[package]]
@@ -2462,6 +2462,16 @@ dependencies = [
  "base64",
 ]
 
+[[package]]
+name = "rustls-webpki"
+version = "0.101.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7d93931baf2d282fff8d3a532bbfd7653f734643161b87e3e01e59a04439bf0d"
+dependencies = [
+ "ring",
+ "untrusted",
+]
+
 [[package]]
 name = "rustversion"
 version = "1.0.11"
@@ -3149,8 +3159,9 @@ dependencies = [
 
 [[package]]
 name = "webpki"
-version = "0.22.0"
-source = "git+https://github.com/linkerd/webpki?branch=cert-dns-names-0.22#a26def03ec88d3b69542ccd2f0073369ecedc4f9"
+version = "0.22.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f0e74f82d49d545ad128049b7e88f6576df2da6b02e9ce565c6f533be576957e"
 dependencies = [
  "ring",
  "untrusted",
diff --git a/Cargo.toml b/Cargo.toml
@@ -80,6 +80,3 @@ debug = false
 
 [profile.release]
 lto = true
-
-[patch.crates-io]
-webpki = { git = "https://github.com/linkerd/webpki", branch = "cert-dns-names-0.22" }
diff --git a/linkerd/meshtls/rustls/Cargo.toml b/linkerd/meshtls/rustls/Cargo.toml
@@ -19,11 +19,11 @@ linkerd-tls = { path = "../../tls" }
 linkerd-tls-test-util = { path = "../../tls/test-util", optional = true }
 ring = { version = "0.16", features = ["std"] }
 rustls-pemfile = "1.0"
+rustls-webpki = { version = "0.101.4", features = [ "std"] }
 thiserror = "1"
 tokio = { version = "1", features = ["macros", "rt", "sync"] }
 tokio-rustls = { version = "0.23", features = ["dangerous_configuration"] }
 tracing = "0.1"
-webpki = "0.22"
 
 [dev-dependencies]
 linkerd-tls-test-util = { path = "../../tls/test-util" }
diff --git a/linkerd/meshtls/rustls/src/creds/store.rs b/linkerd/meshtls/rustls/src/creds/store.rs
@@ -239,9 +239,11 @@ impl rustls::server::ResolvesServerCert for CertResolver {
         hello: rustls::server::ClientHello<'_>,
     ) -> Option<Arc<rustls::sign::CertifiedKey>> {
         let server_name = match hello.server_name() {
-            Some(name) => webpki::DnsNameRef::try_from_ascii_str(name)
-                .expect("server name must be a valid server name"),
-
+            Some(name) => {
+                let name = webpki::DnsNameRef::try_from_ascii_str(name)
+                    .expect("server name must be a valid server name");
+                webpki::SubjectNameRef::DnsName(name)
+            }
             None => {
                 debug!("no SNI -> no certificate");
                 return None;
@@ -251,7 +253,7 @@ impl rustls::server::ResolvesServerCert for CertResolver {
         // Verify that our certificate is valid for the given SNI name.
         let c = self.0.cert.first()?;
         if let Err(error) = webpki::EndEntityCert::try_from(c.as_ref())
-            .and_then(|c| c.verify_is_valid_for_dns_name(server_name))
+            .and_then(|c| c.verify_is_valid_for_subject_name(server_name))
         {
             debug!(%error, "Local certificate is not valid for SNI");
             return None;
diff --git a/linkerd/meshtls/rustls/src/server.rs b/linkerd/meshtls/rustls/src/server.rs
@@ -130,18 +130,15 @@ fn client_identity<I>(tls: &tokio_rustls::server::TlsStream<I>) -> Option<Client
     let certs = session.peer_certificates()?;
     let c = certs.first().map(Certificate::as_ref)?;
     let end_cert = webpki::EndEntityCert::try_from(c).ok()?;
-    let dns_names = end_cert.dns_names().ok()?;
+    let mut dns_names = end_cert.dns_names().ok()?;
 
-    match dns_names.first()? {
-        webpki::GeneralDnsNameRef::DnsName(n) => {
-            let s: &str = (*n).into();
-            s.parse().ok().map(ClientId)
-        }
-        webpki::GeneralDnsNameRef::Wildcard(_) => {
-            // Wildcards can perhaps be handled in a future path...
-            None
-        }
+    let name: &str = dns_names.next()?.into();
+    if name == "*" {
+        // Wildcards can perhaps be handled in a future path...
+        return None;
     }
+
+    name.parse().ok().map(ClientId)
 }
 
 // === impl ServerIo ===
