File tree 5 files changed +28
-21
lines changed
5 files changed +28
-21
lines changed Original file line number Diff line number Diff line change @@ -1408,11 +1408,11 @@ dependencies = [
1408
1408
" linkerd-tls-test-util" ,
1409
1409
" ring" ,
1410
1410
" rustls-pemfile" ,
1411
+ " rustls-webpki" ,
1411
1412
" thiserror" ,
1412
1413
" tokio" ,
1413
1414
" tokio-rustls" ,
1414
1415
" tracing" ,
1415
- " webpki" ,
1416
1416
]
1417
1417
1418
1418
[[package ]]
@@ -2462,6 +2462,16 @@ dependencies = [
2462
2462
" base64" ,
2463
2463
]
2464
2464
2465
+ [[package ]]
2466
+ name = " rustls-webpki"
2467
+ version = " 0.101.4"
2468
+ source = " registry+https://github.com/rust-lang/crates.io-index"
2469
+ checksum = " 7d93931baf2d282fff8d3a532bbfd7653f734643161b87e3e01e59a04439bf0d"
2470
+ dependencies = [
2471
+ " ring" ,
2472
+ " untrusted" ,
2473
+ ]
2474
+
2465
2475
[[package ]]
2466
2476
name = " rustversion"
2467
2477
version = " 1.0.11"
@@ -3149,8 +3159,9 @@ dependencies = [
3149
3159
3150
3160
[[package ]]
3151
3161
name = " webpki"
3152
- version = " 0.22.0"
3153
- source = " git+https://github.com/linkerd/webpki?branch=cert-dns-names-0.22#a26def03ec88d3b69542ccd2f0073369ecedc4f9"
3162
+ version = " 0.22.1"
3163
+ source = " registry+https://github.com/rust-lang/crates.io-index"
3164
+ checksum = " f0e74f82d49d545ad128049b7e88f6576df2da6b02e9ce565c6f533be576957e"
3154
3165
dependencies = [
3155
3166
" ring" ,
3156
3167
" untrusted" ,
Original file line number Diff line number Diff line change @@ -80,6 +80,3 @@ debug = false
80
80
81
81
[profile .release ]
82
82
lto = true
83
-
84
- [patch .crates-io ]
85
- webpki = { git = " https://github.com/linkerd/webpki" , branch = " cert-dns-names-0.22" }
Original file line number Diff line number Diff line change @@ -19,11 +19,11 @@ linkerd-tls = { path = "../../tls" }
19
19
linkerd-tls-test-util = { path = " ../../tls/test-util" , optional = true }
20
20
ring = { version = " 0.16" , features = [" std" ] }
21
21
rustls-pemfile = " 1.0"
22
+ rustls-webpki = { version = " 0.101.4" , features = [ " std" ] }
22
23
thiserror = " 1"
23
24
tokio = { version = " 1" , features = [" macros" , " rt" , " sync" ] }
24
25
tokio-rustls = { version = " 0.23" , features = [" dangerous_configuration" ] }
25
26
tracing = " 0.1"
26
- webpki = " 0.22"
27
27
28
28
[dev-dependencies ]
29
29
linkerd-tls-test-util = { path = " ../../tls/test-util" }
Original file line number Diff line number Diff line change @@ -239,9 +239,11 @@ impl rustls::server::ResolvesServerCert for CertResolver {
239
239
hello : rustls:: server:: ClientHello < ' _ > ,
240
240
) -> Option < Arc < rustls:: sign:: CertifiedKey > > {
241
241
let server_name = match hello. server_name ( ) {
242
- Some ( name) => webpki:: DnsNameRef :: try_from_ascii_str ( name)
243
- . expect ( "server name must be a valid server name" ) ,
244
-
242
+ Some ( name) => {
243
+ let name = webpki:: DnsNameRef :: try_from_ascii_str ( name)
244
+ . expect ( "server name must be a valid server name" ) ;
245
+ webpki:: SubjectNameRef :: DnsName ( name)
246
+ }
245
247
None => {
246
248
debug ! ( "no SNI -> no certificate" ) ;
247
249
return None ;
@@ -251,7 +253,7 @@ impl rustls::server::ResolvesServerCert for CertResolver {
251
253
// Verify that our certificate is valid for the given SNI name.
252
254
let c = self . 0 . cert . first ( ) ?;
253
255
if let Err ( error) = webpki:: EndEntityCert :: try_from ( c. as_ref ( ) )
254
- . and_then ( |c| c. verify_is_valid_for_dns_name ( server_name) )
256
+ . and_then ( |c| c. verify_is_valid_for_subject_name ( server_name) )
255
257
{
256
258
debug ! ( %error, "Local certificate is not valid for SNI" ) ;
257
259
return None ;
Original file line number Diff line number Diff line change @@ -130,18 +130,15 @@ fn client_identity<I>(tls: &tokio_rustls::server::TlsStream<I>) -> Option<Client
130
130
let certs = session. peer_certificates ( ) ?;
131
131
let c = certs. first ( ) . map ( Certificate :: as_ref) ?;
132
132
let end_cert = webpki:: EndEntityCert :: try_from ( c) . ok ( ) ?;
133
- let dns_names = end_cert. dns_names ( ) . ok ( ) ?;
133
+ let mut dns_names = end_cert. dns_names ( ) . ok ( ) ?;
134
134
135
- match dns_names. first ( ) ? {
136
- webpki:: GeneralDnsNameRef :: DnsName ( n) => {
137
- let s: & str = ( * n) . into ( ) ;
138
- s. parse ( ) . ok ( ) . map ( ClientId )
139
- }
140
- webpki:: GeneralDnsNameRef :: Wildcard ( _) => {
141
- // Wildcards can perhaps be handled in a future path...
142
- None
143
- }
135
+ let name: & str = dns_names. next ( ) ?. into ( ) ;
136
+ if name == "*" {
137
+ // Wildcards can perhaps be handled in a future path...
138
+ return None ;
144
139
}
140
+
141
+ name. parse ( ) . ok ( ) . map ( ClientId )
145
142
}
146
143
147
144
// === impl ServerIo ===
You can’t perform that action at this time.
0 commit comments