carl-wallace · baloo · Sep 26, 2024 · Sep 26, 2024
diff --git a/.github/workflows/certval.yml b/.github/workflows/certval.yml
@@ -15,7 +15,7 @@ jobs:
     strategy:
       matrix:
         rust:
-          - 1.75.0 # MSRV
+          - 1.81.0 # MSRV
           - stable
     steps:
       - uses: actions/checkout@v4
@@ -30,7 +30,7 @@ jobs:
     strategy:
       matrix:
         rust:
-          - 1.75.0 # MSRV
+          - 1.81.0 # MSRV
           - stable
     steps:
       - uses: actions/checkout@v4

diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -14,9 +14,7 @@ debug = true
 debug = true
 
 [patch.crates-io]
-cms        = { git = "https://github.com/RustCrypto/formats.git" }
 x509-ocsp  = { git = "https://github.com/RustCrypto/formats.git" }
-x509-cert  = { git = "https://github.com/RustCrypto/formats.git" }
 # FIXME: https://github.com/dalek-cryptography/curve25519-dalek/pull/676
 ed25519-dalek = { git = "https://github.com/dalek-cryptography/curve25519-dalek.git", branch = "rustcrypto-new-releases" }
 

diff --git a/certval/Cargo.toml b/certval/Cargo.toml
@@ -12,12 +12,12 @@ categories = ["cryptography", "pki", "no-std"]
 keywords = ["crypto", "x.509", "OCSP"]
 readme = "README.md"
 edition = "2021"
-rust-version = "1.75"
+rust-version = "1.81"
 
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
 [dependencies]
-x509-cert = { version = "0.3.0-pre", default-features = false, features = ["hazmat","pem"] }
+x509-cert = { version = "0.3.0-pre.0", default-features = false, features = ["hazmat","pem"] }
 const-oid = { version = "0.10.0-rc.0", default-features = false, features = ["db"] }
 cms = "0.3.0-pre"
 der = { version="0.8.0-rc.0", features = ["alloc", "derive", "flagset", "oid"] }

diff --git a/certval/src/builder/file_utils.rs b/certval/src/builder/file_utils.rs
@@ -121,7 +121,7 @@ fn cert_or_ta_folder_to_vec(
                     if collect_tas {
                         let r = TrustAnchorChoice::<Raw>::from_der(buffer.as_slice());
                         if let Ok(TrustAnchorChoice::Certificate(cert)) = r {
-                            let r = valid_at_time(&cert.tbs_certificate, time_of_interest, true);
+                            let r = valid_at_time(&cert.tbs_certificate(), time_of_interest, true);
                             if let Err(_e) = r {
                                 error!(
                                     "Ignored {} as not valid at indicated time of interest",
@@ -135,7 +135,7 @@ fn cert_or_ta_folder_to_vec(
                     } else {
                         let r = CertificateInner::from_der(buffer.as_slice());
                         if let Ok(cert) = r {
-                            let r = valid_at_time(&cert.tbs_certificate, time_of_interest, true);
+                            let r = valid_at_time(&cert.tbs_certificate(), time_of_interest, true);
                             if let Err(_e) = r {
                                 error!(
                                     "Ignored {} as not valid at indicated time of interest",

diff --git a/certval/src/builder/uri_utils.rs b/certval/src/builder/uri_utils.rs
@@ -115,7 +115,7 @@ fn save_cert(
     let r = CertificateInner::from_der(bytes);
     match r {
         Ok(cert) => {
-            if let Err(_e) = valid_at_time(&cert.tbs_certificate, time_of_interest, true) {
+            if let Err(_e) = valid_at_time(cert.tbs_certificate(), time_of_interest, true) {
                 debug!("Ignoring certificate downloaded from {} as not valid at indicated time of interest ({})", target, time_of_interest);
                 return saved;
             }

diff --git a/certval/src/revocation/check_revocation.rs b/certval/src/revocation/check_revocation.rs
@@ -101,7 +101,8 @@ pub async fn check_revocation(
     let mut statuses = vec![];
     for (pos, ca_cert_ref) in v.iter().enumerate() {
         let cur_cert = ca_cert_ref;
-        let cur_cert_subject = name_to_string(&ca_cert_ref.decoded_cert.tbs_certificate.subject);
+        let cur_cert_subject =
+            name_to_string(&ca_cert_ref.decoded_cert.tbs_certificate().subject());
         let revoked_error = if pos == max_index {
             CertificateRevokedEndEntity
         } else {
@@ -298,7 +299,8 @@ pub fn check_revocation(
     let mut statuses = vec![];
     for (pos, ca_cert_ref) in v.iter().enumerate() {
         let cur_cert = ca_cert_ref;
-        let cur_cert_subject = name_to_string(&ca_cert_ref.decoded_cert.tbs_certificate.subject);
+        let cur_cert_subject =
+            name_to_string(&ca_cert_ref.decoded_cert.tbs_certificate().subject());
         let revoked_error = if pos == max_index {
             CertificateRevokedEndEntity
         } else {

diff --git a/certval/src/revocation/crl.rs b/certval/src/revocation/crl.rs
@@ -653,7 +653,7 @@ fn validate_crl_issuer_name(
         Ok(Some(PDVExtension::CrlDistributionPoints(crl_dp))) => crl_dp,
         _ => match Name::from_der(&crl_info.issuer_name_blob) {
             Ok(n) => {
-                if compare_names(&cert.decoded_cert.tbs_certificate.issuer, &n) {
+                if compare_names(&cert.decoded_cert.tbs_certificate().issuer(), &n) {
                     return Ok(None);
                 } else {
                     return Err(Error::CrlIncompatible);
@@ -681,7 +681,7 @@ fn validate_crl_issuer_name(
 
     match Name::from_der(&crl_info.issuer_name_blob) {
         Ok(n) => {
-            if compare_names(&cert.decoded_cert.tbs_certificate.issuer, &n) {
+            if compare_names(&cert.decoded_cert.tbs_certificate().issuer(), &n) {
                 Ok(None)
             } else {
                 Err(Error::CrlIncompatible)
@@ -839,7 +839,7 @@ fn validate_crl_authority(target_cert: &PDVCertificate, crl_info: &CrlInfo) -> R
     //		If the CRL issuer name does not match the cert issuer name, the indirectCRL field must be present
     //		in the IDP.
 
-    let enc_iss = match target_cert.decoded_cert.tbs_certificate.issuer.to_der() {
+    let enc_iss = match target_cert.decoded_cert.tbs_certificate().issuer().to_der() {
         Ok(b) => b,
         Err(_e) => return Err(Error::Unrecognized),
     };
@@ -868,7 +868,7 @@ fn verify_crl(
         &defer_crl.tbs_field,
         defer_crl.signature.raw_bytes(),
         &defer_crl.signature_algorithm,
-        &issuer_cert.tbs_certificate.subject_public_key_info,
+        &issuer_cert.tbs_certificate().subject_public_key_info(),
     );
     if let Err(e) = r {
         log_error_for_subject(
@@ -950,8 +950,8 @@ pub(crate) fn check_crl_validity(toi: TimeOfInterest, crl: &CertificateList<Raw>
 }
 
 fn check_crl_sign(cert: &CertificateInner<Raw>) -> Result<()> {
-    if let Some(exts) = &cert.tbs_certificate.extensions {
-        for ext in exts {
+    if let Some(exts) = &cert.tbs_certificate().extensions() {
+        for ext in exts.as_slice() {
             if ext.extn_id == ID_CE_KEY_USAGE {
                 if let Ok(ku) = KeyUsage::from_der(ext.extn_value.as_bytes()) {
                     // (n)  If a key usage extension is present, verify that the
@@ -1021,7 +1021,7 @@ pub(crate) fn process_crl(
     if !COMPATIBLE_SCOPE[(cert_type as usize, crl_info.type_info.scope as usize)]
         || !COMPATIBLE_COVERAGE[(cert_type as usize, crl_info.type_info.coverage as usize)]
     {
-        info!("Discarding CRL from {} as having incompatible scope or coverage for certificate issued to {}", name_to_string(&crl.tbs_cert_list.issuer), name_to_string(&target_cert.decoded_cert.tbs_certificate.subject));
+        info!("Discarding CRL from {} as having incompatible scope or coverage for certificate issued to {}", name_to_string(&crl.tbs_cert_list.issuer), name_to_string(&target_cert.decoded_cert.tbs_certificate().subject()));
         return Err(Error::CrlIncompatible);
     }
 
@@ -1044,7 +1044,7 @@ pub(crate) fn process_crl(
         target_cert,
         &mut collected_reasons,
     ) {
-        info!("Discarding CRL from {} as having incompatible distribution point for certificate issued to {}", name_to_string(&crl.tbs_cert_list.issuer), name_to_string(&target_cert.decoded_cert.tbs_certificate.subject));
+        info!("Discarding CRL from {} as having incompatible distribution point for certificate issued to {}", name_to_string(&crl.tbs_cert_list.issuer), name_to_string(&target_cert.decoded_cert.tbs_certificate().subject()));
         return Err(Error::CrlIncompatible);
     }
 
@@ -1053,7 +1053,7 @@ pub(crate) fn process_crl(
         info!(
             "Discarding CRL from {} as having incompatible authority for certificate issued to {}",
             name_to_string(&crl.tbs_cert_list.issuer),
-            name_to_string(&target_cert.decoded_cert.tbs_certificate.subject)
+            name_to_string(&target_cert.decoded_cert.tbs_certificate().subject())
         );
         return Err(Error::CrlIncompatible);
     }
@@ -1083,7 +1083,7 @@ pub(crate) fn process_crl(
 
             if rc
                 .serial_number
-                .der_cmp(&target_cert.decoded_cert.tbs_certificate.serial_number)
+                .der_cmp(&target_cert.decoded_cert.tbs_certificate().serial_number())
                 .map(|ordering| matches!(ordering, std::cmp::Ordering::Equal))
                 .unwrap_or_default()
             {
@@ -1142,12 +1142,12 @@ pub(crate) async fn check_revocation_crl_remote(
     pos: usize,
 ) -> PathValidationStatus {
     let mut target_status = PathValidationStatus::RevocationStatusNotDetermined;
-    let cur_cert_subject = name_to_string(&target_cert.decoded_cert.tbs_certificate.subject);
+    let cur_cert_subject = name_to_string(&target_cert.decoded_cert.tbs_certificate().subject());
     let crl_dps = get_crl_dps(target_cert);
     if crl_dps.is_empty() {
         info!(
             "No CRL DPs found for {}",
-            name_to_string(&target_cert.decoded_cert.tbs_certificate.subject)
+            name_to_string(&target_cert.decoded_cert.tbs_certificate().subject())
         );
     } else {
         let timeout = cps.get_crl_timeout();

diff --git a/certval/src/revocation/ocsp_client.rs b/certval/src/revocation/ocsp_client.rs
@@ -55,16 +55,16 @@ use crate::{
 
 fn get_key_hash(cert: &CertificateInner<Raw>) -> Result<Vec<u8>> {
     Ok(Sha1::digest(
-        cert.tbs_certificate
-            .subject_public_key_info
+        cert.tbs_certificate()
+            .subject_public_key_info()
             .subject_public_key
             .raw_bytes(),
     )
     .to_vec())
 }
 
 fn get_subject_name_hash(cert: &CertificateInner<Raw>) -> Result<Vec<u8>> {
-    let enc_subject = match cert.tbs_certificate.subject.to_der() {
+    let enc_subject = match cert.tbs_certificate().subject().to_der() {
         Ok(enc_spki) => enc_spki,
         Err(e) => return Err(Error::Asn1Error(e)),
     };
@@ -215,7 +215,7 @@ fn prepare_ocsp_request(
         hash_algorithm,
         issuer_name_hash,
         issuer_key_hash,
-        serial_number: target_cert.tbs_certificate.serial_number.clone(),
+        serial_number: target_cert.tbs_certificate().serial_number().clone(),
     };
     //TODO add nonce support
     let request_list = vec![Request {
@@ -283,9 +283,9 @@ impl<'a> ::der::DecodeValue<'a> for DeferDecodeBasicOcspResponse {
     }
 }
 
-fn no_check_present(exts: &Option<Extensions>) -> bool {
+fn no_check_present(exts: &Option<&Extensions>) -> bool {
     if let Some(exts) = exts {
-        for ext in exts {
+        for ext in exts.as_slice() {
             if ext.extn_id == ID_PKIX_OCSP_NOCHECK {
                 return true;
             }
@@ -316,7 +316,7 @@ fn verify_response_signature(
         &ddbor.tbs_response_data,
         signature,
         &bor.signature_algorithm,
-        &signers_cert.tbs_certificate.subject_public_key_info,
+        &signers_cert.tbs_certificate().subject_public_key_info(),
     )
 }
 
@@ -533,10 +533,11 @@ fn process_ocsp_response_internal(
                         &defer_cert.tbs_field,
                         defer_cert.signature.raw_bytes(),
                         &defer_cert.signature_algorithm,
-                        &issuers_cert.tbs_certificate.subject_public_key_info,
+                        &issuers_cert.tbs_certificate().subject_public_key_info(),
                     ) {
                         if let Ok(cert) = CertificateInner::<Raw>::from_der(certbuf.as_slice()) {
-                            if cert.tbs_certificate.signature != defer_cert.signature_algorithm {
+                            if *cert.tbs_certificate().signature() != defer_cert.signature_algorithm
+                            {
                                 error!("Verified candidate responder cert from OCSPResponse from {} but signature algorithm match failed", uri_to_check);
                                 cpr.add_failed_ocsp_response(enc_ocsp_resp.to_vec(), result_index);
                                 continue;
@@ -545,7 +546,7 @@ fn process_ocsp_response_internal(
                             let time_of_interest = cps.get_time_of_interest();
                             if time_of_interest.is_disabled() {
                                 let target_ttl =
-                                    valid_at_time(&cert.tbs_certificate, time_of_interest, false);
+                                    valid_at_time(&cert.tbs_certificate(), time_of_interest, false);
                                 if let Err(_e) = target_ttl {
                                     error!("Verified candidate responder cert from OCSPResponse from {} but certificate has expired", uri_to_check);
                                     cpr.add_failed_ocsp_response(
@@ -556,7 +557,7 @@ fn process_ocsp_response_internal(
                                 }
                             }
 
-                            if !no_check_present(&cert.tbs_certificate.extensions) {
+                            if !no_check_present(&cert.tbs_certificate().extensions()) {
                                 //TODO implement revocation checking of responder cert
                                 error!("no-check absent");
                             }
@@ -608,7 +609,7 @@ fn process_ocsp_response_internal(
     for sr in bor.tbs_response_data.responses {
         if !cert_id_match(
             &sr.cert_id,
-            &target_cert.decoded_cert.tbs_certificate.serial_number,
+            &target_cert.decoded_cert.tbs_certificate().serial_number(),
             name_hash,
             key_hash,
         ) {
@@ -693,7 +694,7 @@ pub(crate) async fn check_revocation_ocsp(
     if ocsp_aias.is_empty() {
         info!(
             "No OCSP AIAs found for {}",
-            name_to_string(&target_cert.decoded_cert.tbs_certificate.subject)
+            name_to_string(&target_cert.decoded_cert.tbs_certificate().subject())
         );
     } else {
         for aia in ocsp_aias {
@@ -710,15 +711,15 @@ pub(crate) async fn check_revocation_ocsp(
                 info!(
                         "Determined revocation status ({}) using OCSP for certificate issued to {} via {}",
                         target_status,
-                        name_to_string(&target_cert.decoded_cert.tbs_certificate.subject),
+                        name_to_string(&target_cert.decoded_cert.tbs_certificate().subject()),
                         aia.as_str(),
                     );
                 // no need to consider additional AIAs
                 break;
             } else {
                 info!(
                     "Failed to determine status for {} via {}",
-                    name_to_string(&target_cert.decoded_cert.tbs_certificate.subject),
+                    name_to_string(&target_cert.decoded_cert.tbs_certificate().subject()),
                     aia.as_str()
                 );
             }