Skip to content

Commit 8558735

Browse files
committed
use rustls-webpki instead of linkerd/webpki
This commit changes the `linkerd-meshtls-rustls` crate to use the upstream `rustls-webpki` crate, maintained by Rustls, rather than our fork of `briansmith/webpki` from GitHub. Since `rustls-webpki` includes the change which was the initial motivation for the `linkerd/webpki` fork (rustls/webpki#42), we can now depend on upstream.
1 parent 426120a commit 8558735

File tree

5 files changed

+28
-21
lines changed

5 files changed

+28
-21
lines changed

Diff for: Cargo.lock

+14-3
Original file line numberDiff line numberDiff line change
@@ -1408,11 +1408,11 @@ dependencies = [
14081408
"linkerd-tls-test-util",
14091409
"ring",
14101410
"rustls-pemfile",
1411+
"rustls-webpki",
14111412
"thiserror",
14121413
"tokio",
14131414
"tokio-rustls",
14141415
"tracing",
1415-
"webpki",
14161416
]
14171417

14181418
[[package]]
@@ -2462,6 +2462,16 @@ dependencies = [
24622462
"base64",
24632463
]
24642464

2465+
[[package]]
2466+
name = "rustls-webpki"
2467+
version = "0.101.4"
2468+
source = "registry+https://github.com/rust-lang/crates.io-index"
2469+
checksum = "7d93931baf2d282fff8d3a532bbfd7653f734643161b87e3e01e59a04439bf0d"
2470+
dependencies = [
2471+
"ring",
2472+
"untrusted",
2473+
]
2474+
24652475
[[package]]
24662476
name = "rustversion"
24672477
version = "1.0.11"
@@ -3149,8 +3159,9 @@ dependencies = [
31493159

31503160
[[package]]
31513161
name = "webpki"
3152-
version = "0.22.0"
3153-
source = "git+https://github.com/linkerd/webpki?branch=cert-dns-names-0.22#a26def03ec88d3b69542ccd2f0073369ecedc4f9"
3162+
version = "0.22.1"
3163+
source = "registry+https://github.com/rust-lang/crates.io-index"
3164+
checksum = "f0e74f82d49d545ad128049b7e88f6576df2da6b02e9ce565c6f533be576957e"
31543165
dependencies = [
31553166
"ring",
31563167
"untrusted",

Diff for: Cargo.toml

-3
Original file line numberDiff line numberDiff line change
@@ -80,6 +80,3 @@ debug = false
8080

8181
[profile.release]
8282
lto = true
83-
84-
[patch.crates-io]
85-
webpki = { git = "https://github.com/linkerd/webpki", branch = "cert-dns-names-0.22" }

Diff for: linkerd/meshtls/rustls/Cargo.toml

+1-1
Original file line numberDiff line numberDiff line change
@@ -19,11 +19,11 @@ linkerd-tls = { path = "../../tls" }
1919
linkerd-tls-test-util = { path = "../../tls/test-util", optional = true }
2020
ring = { version = "0.16", features = ["std"] }
2121
rustls-pemfile = "1.0"
22+
rustls-webpki = { version = "0.101.4", features = [ "std"] }
2223
thiserror = "1"
2324
tokio = { version = "1", features = ["macros", "rt", "sync"] }
2425
tokio-rustls = { version = "0.23", features = ["dangerous_configuration"] }
2526
tracing = "0.1"
26-
webpki = "0.22"
2727

2828
[dev-dependencies]
2929
linkerd-tls-test-util = { path = "../../tls/test-util" }

Diff for: linkerd/meshtls/rustls/src/creds/store.rs

+6-4
Original file line numberDiff line numberDiff line change
@@ -239,9 +239,11 @@ impl rustls::server::ResolvesServerCert for CertResolver {
239239
hello: rustls::server::ClientHello<'_>,
240240
) -> Option<Arc<rustls::sign::CertifiedKey>> {
241241
let server_name = match hello.server_name() {
242-
Some(name) => webpki::DnsNameRef::try_from_ascii_str(name)
243-
.expect("server name must be a valid server name"),
244-
242+
Some(name) => {
243+
let name = webpki::DnsNameRef::try_from_ascii_str(name)
244+
.expect("server name must be a valid server name");
245+
webpki::SubjectNameRef::DnsName(name)
246+
}
245247
None => {
246248
debug!("no SNI -> no certificate");
247249
return None;
@@ -251,7 +253,7 @@ impl rustls::server::ResolvesServerCert for CertResolver {
251253
// Verify that our certificate is valid for the given SNI name.
252254
let c = self.0.cert.first()?;
253255
if let Err(error) = webpki::EndEntityCert::try_from(c.as_ref())
254-
.and_then(|c| c.verify_is_valid_for_dns_name(server_name))
256+
.and_then(|c| c.verify_is_valid_for_subject_name(server_name))
255257
{
256258
debug!(%error, "Local certificate is not valid for SNI");
257259
return None;

Diff for: linkerd/meshtls/rustls/src/server.rs

+7-10
Original file line numberDiff line numberDiff line change
@@ -130,18 +130,15 @@ fn client_identity<I>(tls: &tokio_rustls::server::TlsStream<I>) -> Option<Client
130130
let certs = session.peer_certificates()?;
131131
let c = certs.first().map(Certificate::as_ref)?;
132132
let end_cert = webpki::EndEntityCert::try_from(c).ok()?;
133-
let dns_names = end_cert.dns_names().ok()?;
133+
let mut dns_names = end_cert.dns_names().ok()?;
134134

135-
match dns_names.first()? {
136-
webpki::GeneralDnsNameRef::DnsName(n) => {
137-
let s: &str = (*n).into();
138-
s.parse().ok().map(ClientId)
139-
}
140-
webpki::GeneralDnsNameRef::Wildcard(_) => {
141-
// Wildcards can perhaps be handled in a future path...
142-
None
143-
}
135+
let name: &str = dns_names.next()?.into();
136+
if name == "*" {
137+
// Wildcards can perhaps be handled in a future path...
138+
return None;
144139
}
140+
141+
name.parse().ok().map(ClientId)
145142
}
146143

147144
// === impl ServerIo ===

0 commit comments

Comments
 (0)