Skip to content

Commit

Permalink
use rustls-webpki instead of linkerd/webpki (#2465)
Browse files Browse the repository at this point in the history
This commit changes the `linkerd-meshtls-rustls` crate to use the
upstream `rustls-webpki` crate, maintained by Rustls, rather than our
fork of `briansmith/webpki` from GitHub. Since `rustls-webpki` includes
the change which was the initial motivation for the `linkerd/webpki`
fork (rustls/webpki#42), we can now depend on upstream.

Currently, we must take a Git dependency on `rustls-webpki`, since a
release including a fix for an issue (rustls/webpki#167) which prevents
`rustls-webpki` from parsing our test certificates has not yet been
published. Once v0.101.5 of `rustls-webpki` is published (PR see
rustls/webpki#170), we can remove the Git dep. For now, I've updated
`cargo-deny` to allow the Git dependency.
  • Loading branch information
hawkw committed Sep 18, 2023
1 parent 5116fb8 commit a4ccd6f
Show file tree
Hide file tree
Showing 6 changed files with 32 additions and 25 deletions.
16 changes: 13 additions & 3 deletions Cargo.lock
Original file line number Diff line number Diff line change
Expand Up @@ -1380,11 +1380,11 @@ dependencies = [
"linkerd-tls-test-util",
"ring",
"rustls-pemfile",
"rustls-webpki",
"thiserror",
"tokio",
"tokio-rustls",
"tracing",
"webpki",
]

[[package]]
Expand Down Expand Up @@ -2434,6 +2434,15 @@ dependencies = [
"base64",
]

[[package]]
name = "rustls-webpki"
version = "0.101.5"
source = "git+https://github.com/cpu/webpki?rev=702d57f444e3f7d743277524e832a2363290ec4d#702d57f444e3f7d743277524e832a2363290ec4d"
dependencies = [
"ring",
"untrusted",
]

[[package]]
name = "rustversion"
version = "1.0.11"
Expand Down Expand Up @@ -3114,8 +3123,9 @@ dependencies = [

[[package]]
name = "webpki"
version = "0.22.0"
source = "git+https://github.com/linkerd/webpki?branch=cert-dns-names-0.22#a26def03ec88d3b69542ccd2f0073369ecedc4f9"
version = "0.22.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f0e74f82d49d545ad128049b7e88f6576df2da6b02e9ce565c6f533be576957e"
dependencies = [
"ring",
"untrusted",
Expand Down
3 changes: 2 additions & 1 deletion Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,7 @@ debug = false
lto = true

[patch.crates-io]
webpki = { git = "https://github.com/linkerd/webpki", branch = "cert-dns-names-0.22" }
boring = { git = "https://github.com/cloudflare/boring" }
tokio-boring = { git = "https://github.com/cloudflare/boring" }
# remove this patch when https://github.com/rustls/webpki/pull/170 is published!
rustls-webpki = { git = "https://github.com/cpu/webpki", rev = "702d57f444e3f7d743277524e832a2363290ec4d" }
9 changes: 4 additions & 5 deletions deny.toml
Original file line number Diff line number Diff line change
Expand Up @@ -69,9 +69,8 @@ skip-tree = [
unknown-registry = "deny"
unknown-git = "deny"
allow-registry = ["https://github.com/rust-lang/crates.io-index"]
allow-git = ["https://github.com/cloudflare/boring.git"]

[sources.allow-org]
github = [
"linkerd",
allow-git = [
"https://github.com/cloudflare/boring.git",
# remove this when https://github.com/rustls/webpki/pull/170 is published!
"https://github.com/cpu/webpki",
]
2 changes: 1 addition & 1 deletion linkerd/meshtls/rustls/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -19,11 +19,11 @@ linkerd-tls = { path = "../../tls" }
linkerd-tls-test-util = { path = "../../tls/test-util", optional = true }
ring = { version = "0.16", features = ["std"] }
rustls-pemfile = "1.0"
rustls-webpki = { version = "0.101.5", features = [ "std"] }
thiserror = "1"
tokio = { version = "1", features = ["macros", "rt", "sync"] }
tokio-rustls = { version = "0.23", features = ["dangerous_configuration"] }
tracing = "0.1"
webpki = "0.22"

[dev-dependencies]
linkerd-tls-test-util = { path = "../../tls/test-util" }
10 changes: 6 additions & 4 deletions linkerd/meshtls/rustls/src/creds/store.rs
Original file line number Diff line number Diff line change
Expand Up @@ -239,9 +239,11 @@ impl rustls::server::ResolvesServerCert for CertResolver {
hello: rustls::server::ClientHello<'_>,
) -> Option<Arc<rustls::sign::CertifiedKey>> {
let server_name = match hello.server_name() {
Some(name) => webpki::DnsNameRef::try_from_ascii_str(name)
.expect("server name must be a valid server name"),

Some(name) => {
let name = webpki::DnsNameRef::try_from_ascii_str(name)
.expect("server name must be a valid server name");
webpki::SubjectNameRef::DnsName(name)
}
None => {
debug!("no SNI -> no certificate");
return None;
Expand All @@ -251,7 +253,7 @@ impl rustls::server::ResolvesServerCert for CertResolver {
// Verify that our certificate is valid for the given SNI name.
let c = self.0.cert.first()?;
if let Err(error) = webpki::EndEntityCert::try_from(c.as_ref())
.and_then(|c| c.verify_is_valid_for_dns_name(server_name))
.and_then(|c| c.verify_is_valid_for_subject_name(server_name))
{
debug!(%error, "Local certificate is not valid for SNI");
return None;
Expand Down
17 changes: 6 additions & 11 deletions linkerd/meshtls/rustls/src/server.rs
Original file line number Diff line number Diff line change
Expand Up @@ -130,18 +130,13 @@ fn client_identity<I>(tls: &tokio_rustls::server::TlsStream<I>) -> Option<Client
let certs = session.peer_certificates()?;
let c = certs.first().map(Certificate::as_ref)?;
let end_cert = webpki::EndEntityCert::try_from(c).ok()?;
let dns_names = end_cert.dns_names().ok()?;

match dns_names.first()? {
webpki::GeneralDnsNameRef::DnsName(n) => {
let s: &str = (*n).into();
s.parse().ok().map(ClientId)
}
webpki::GeneralDnsNameRef::Wildcard(_) => {
// Wildcards can perhaps be handled in a future path...
None
}
let name: &str = end_cert.dns_names().ok()?.next().map(Into::into)?;
if name == "*" {
// Wildcards can perhaps be handled in a future path...
return None;
}

name.parse().ok().map(ClientId)
}

// === impl ServerIo ===
Expand Down

0 comments on commit a4ccd6f

Please sign in to comment.