Description: accept older branch of crate rcgen This essentially reverts upstream git commits 785e876 and 46b9143. Author: Jonas Smedegaard Forwarded: not-needed Last-Update: 2025-08-08 --- This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ --- a/Cargo.toml +++ b/Cargo.toml @@ -89,7 +89,7 @@ bencher = "0.1.5" bzip2 = ">= 0.4.4, <= 0.6" once_cell = "1.17.2" -rcgen = "0.14" +rcgen = ">= 0.13.0, <= 0.14" serde = { version = "1.0", features = ["derive"] } serde_json = "1.0" --- a/benches/benchmark.rs +++ b/benches/benchmark.rs @@ -3,7 +3,7 @@ use bencher::{Bencher, benchmark_group, benchmark_main}; use once_cell::sync::Lazy; use rcgen::{ - BasicConstraints, CertificateParams, CertificateRevocationListParams, IsCa, Issuer, + BasicConstraints, CertificateParams, CertificateRevocationListParams, CertifiedKey, IsCa, KeyIdMethod, KeyPair, KeyUsagePurpose, PKCS_ECDSA_P256_SHA256, RevocationReason, RevokedCertParams, SerialNumber, date_time_ymd, }; @@ -19,7 +19,7 @@ /// Lazy initialized CRL issuer to be used when generating CRL data. Includes /// `KeyUsagePurpose::CrlSign` key usage bit. -static CRL_ISSUER: Lazy>> = Lazy::new(|| { +static CRL_ISSUER: Lazy> = Lazy::new(|| { let mut issuer_params = CertificateParams::new(vec!["crl.issuer.example.com".to_string()]).unwrap(); issuer_params.is_ca = IsCa::Ca(BasicConstraints::Unconstrained); @@ -29,7 +29,8 @@ KeyUsagePurpose::CrlSign, ]; let key_pair = KeyPair::generate_for(&PKCS_ECDSA_P256_SHA256).unwrap(); - Mutex::new(Issuer::new(issuer_params, key_pair)) + let cert = issuer_params.self_signed(&key_pair).unwrap(); + Mutex::new(CertifiedKey { cert, key_pair }) }); /// Number of revoked certificates to include in the small benchmark CRL. Produces a CRL roughly @@ -96,7 +97,9 @@ revoked_certs, }; let issuer = CRL_ISSUER.lock().unwrap(); - crl.signed_by(&issuer).unwrap().into() + crl.signed_by(&issuer.cert, &issuer.key_pair) + .unwrap() + .into() } /// Benchmark parsing a small CRL file into a borrowed representation. --- a/src/end_entity.rs +++ b/src/end_entity.rs @@ -191,7 +191,7 @@ fn printable_string_common_name() { const DNS_NAME: &str = "test.example.com"; - let issuer = test_utils::make_issuer("Test").0; + let issuer = test_utils::make_issuer("Test"); let ee_cert = { let mut params = test_utils::end_entity_params(vec![DNS_NAME.to_string()]); @@ -200,13 +200,14 @@ params.distinguished_name.push( rcgen::DnType::CommonName, rcgen::DnValue::PrintableString( - rcgen::string::PrintableString::try_from("example.com").unwrap(), + rcgen::PrintableString::try_from("example.com").unwrap(), ), ); params .signed_by( &rcgen::KeyPair::generate_for(RCGEN_SIGNATURE_ALG).unwrap(), - &issuer, + &issuer.cert, + &issuer.key_pair, ) .expect("failed to make ee cert (this is a test bug)") }; --- a/src/test_utils.rs +++ b/src/test_utils.rs @@ -1,24 +1,26 @@ #![cfg(feature = "alloc")] use std::prelude::v1::*; -use rcgen::{Certificate, CertifiedKey, Issuer, KeyPair, SigningKey}; - #[cfg_attr(not(feature = "ring"), allow(dead_code))] -pub(crate) fn make_end_entity(issuer: &Issuer<'_, impl SigningKey>) -> CertifiedKey { - let signing_key = KeyPair::generate_for(RCGEN_SIGNATURE_ALG).unwrap(); - CertifiedKey { +pub(crate) fn make_end_entity( + issuer: &rcgen::Certificate, + issuer_key: &rcgen::KeyPair, +) -> rcgen::CertifiedKey { + let key_pair = rcgen::KeyPair::generate_for(RCGEN_SIGNATURE_ALG).unwrap(); + rcgen::CertifiedKey { cert: end_entity_params(vec!["example.com".into()]) - .signed_by(&signing_key, issuer) + .signed_by(&key_pair, issuer, issuer_key) .unwrap(), - signing_key, + key_pair, } } -pub(crate) fn make_issuer(org_name: impl Into) -> (Issuer<'static, KeyPair>, Certificate) { - let params = issuer_params(org_name); - let key_pair = KeyPair::generate_for(RCGEN_SIGNATURE_ALG).unwrap(); - let cert = params.self_signed(&key_pair).unwrap(); - (Issuer::new(params, key_pair), cert) +pub(crate) fn make_issuer(org_name: impl Into) -> rcgen::CertifiedKey { + let key_pair = rcgen::KeyPair::generate_for(RCGEN_SIGNATURE_ALG).unwrap(); + rcgen::CertifiedKey { + cert: issuer_params(org_name).self_signed(&key_pair).unwrap(), + key_pair, + } } /// Populate a [CertificateParams] that describes an unconstrained issuer certificate capable --- a/src/verify_cert.rs +++ b/src/verify_cert.rs @@ -862,7 +862,7 @@ use crate::test_utils; use crate::test_utils::{issuer_params, make_end_entity, make_issuer}; use crate::trust_anchor::anchor_from_trusted_cert; - use rcgen::{Certificate, Issuer, KeyPair, SigningKey}; + use rcgen::{CertifiedKey, KeyPair}; use std::dbg; use std::prelude::v1::*; @@ -958,7 +958,6 @@ }); let ca_key_pair = KeyPair::generate_for(test_utils::RCGEN_SIGNATURE_ALG).unwrap(); let ca_cert = ca_cert_params.self_signed(&ca_key_pair).unwrap(); - let ca = Issuer::new(ca_cert_params, ca_key_pair); // Create a series of intermediate issuers. We'll only use one in the actual built path, // helping demonstrate that the name constraint budget is not expended checking certificates @@ -969,16 +968,15 @@ let intermediate_key_pair = KeyPair::generate_for(test_utils::RCGEN_SIGNATURE_ALG).unwrap(); // Each intermediate should be issued by the trust anchor. - let intermediate_cert = intermediate.signed_by(&intermediate_key_pair, &ca).unwrap(); - intermediates.push(( - intermediate_cert, - Issuer::new(intermediate, intermediate_key_pair), - )); + let intermediate = intermediate + .signed_by(&intermediate_key_pair, &ca_cert, &ca_key_pair) + .unwrap(); + intermediates.push((intermediate, intermediate_key_pair)); } // Create an end-entity cert that is issued by the last of the intermediates. let last_issuer = intermediates.last().unwrap(); - let ee_cert = make_end_entity(&last_issuer.1); + let ee_cert = make_end_entity(&last_issuer.0, &last_issuer.1); let ee_cert = EndEntityCert::try_from(ee_cert.cert.der()).unwrap(); // We use a custom budget to make it easier to write a test, otherwise it is tricky to @@ -1037,70 +1035,94 @@ )); } - /// This test builds a PKI like the following diagram depicts. We first verify - /// that we can build a path EE -> B -> A -> TA. Next we supply a custom path verification - /// function that rejects the B->A path, and verify that we build a path EE -> B -> C -> TA. - /// - /// ┌───────────┐ - /// │ │ - /// │ TA │ - /// │ │ - /// └───┬───┬───┘ - /// │ │ - /// │ │ - /// ┌────────┐◄┘ └──►┌────────┐ - /// │ │ │ │ - /// │ A │ │ C │ - /// │ │ │ │ - /// └────┬───┘ └───┬────┘ - /// │ │ - /// │ │ - /// │ ┌─────────┐ │ - /// └──►│ │◄──┘ - /// │ B │ - /// │ │ - /// └────┬────┘ - /// │ - /// │ - /// │ - /// ┌────▼────┐ - /// │ │ - /// │ EE │ - /// │ │ - /// └─────────┘ #[test] fn test_reject_candidate_path() { + /* + This test builds a PKI like the following diagram depicts. We first verify + that we can build a path EE -> B -> A -> TA. Next we supply a custom path verification + function that rejects the B->A path, and verify that we build a path EE -> B -> C -> TA. + + ┌───────────┐ + │ │ + │ TA │ + │ │ + └───┬───┬───┘ + │ │ + │ │ + ┌────────┐◄┘ └──►┌────────┐ + │ │ │ │ + │ A │ │ C │ + │ │ │ │ + └────┬───┘ └───┬────┘ + │ │ + │ │ + │ ┌─────────┐ │ + └──►│ │◄──┘ + │ B │ + │ │ + └────┬────┘ + │ + │ + │ + ┌────▼────┐ + │ │ + │ EE │ + │ │ + └─────────┘ + */ + // Create a trust anchor, and use it to issue two distinct intermediate certificates, each // with a unique subject and keypair. - let (trust_anchor, trust_anchor_cert) = make_issuer("Trust Anchor"); - let trust_anchor_cert_der = trust_anchor_cert.der(); + let trust_anchor = make_issuer("Trust Anchor"); let trust_anchor_cert = - Cert::from_der(untrusted::Input::from(trust_anchor_cert_der)).unwrap(); - let trust_anchors = &[anchor_from_trusted_cert(trust_anchor_cert_der).unwrap()]; + Cert::from_der(untrusted::Input::from(trust_anchor.cert.der())).unwrap(); + let trust_anchors = &[anchor_from_trusted_cert(trust_anchor.cert.der()).unwrap()]; + + let intermediate_a = issuer_params("Intermediate A"); + let intermediate_a_kp = KeyPair::generate_for(test_utils::RCGEN_SIGNATURE_ALG).unwrap(); + let intermediate_a = intermediate_a + .signed_by( + &intermediate_a_kp, + &trust_anchor.cert, + &trust_anchor.key_pair, + ) + .unwrap(); + let intermediate_a_cert = + Cert::from_der(untrusted::Input::from(intermediate_a.der())).unwrap(); - let intermediate_a = make_intermediate("Intermediate A", &trust_anchor); - let intermediate_c = make_intermediate("Intermediate C", &trust_anchor); + let intermediate_c = issuer_params("Intermediate C"); + let intermediate_c_kp = KeyPair::generate_for(test_utils::RCGEN_SIGNATURE_ALG).unwrap(); + let intermediate_c = intermediate_c + .signed_by( + &intermediate_c_kp, + &trust_anchor.cert, + &trust_anchor.key_pair, + ) + .unwrap(); + let intermediate_c_cert = + Cert::from_der(untrusted::Input::from(intermediate_c.der())).unwrap(); // Next, create an intermediate that is issued by both of the intermediates above. // Both should share the same subject, and key pair, but will differ in the issuer. - let (intermediate_b, intermediate_b_a_cert, intermediate_b_c_cert) = { - let key = KeyPair::generate_for(test_utils::RCGEN_SIGNATURE_ALG).unwrap(); - let params = issuer_params("Intermediate"); - let intermediate_b_a_cert = params.signed_by(&key, &intermediate_a.0).unwrap(); - let intermediate_b_c_cert = params.signed_by(&key, &intermediate_c.0).unwrap(); - let issuer = Issuer::new(params, key); - (issuer, intermediate_b_a_cert, intermediate_b_c_cert) - }; + let intermediate_b_key = KeyPair::generate_for(test_utils::RCGEN_SIGNATURE_ALG).unwrap(); + let intermediate_b_params = issuer_params("Intermediate"); + let intermediate_b_a = intermediate_b_params + .clone() + .signed_by(&intermediate_b_key, &intermediate_a, &intermediate_a_kp) + .unwrap(); + let intermediate_b_c = intermediate_b_params + .signed_by(&intermediate_b_key, &intermediate_c, &intermediate_c_kp) + .unwrap(); let intermediates = &[ - intermediate_a.1.der().clone(), - intermediate_c.1.der().clone(), - intermediate_b_a_cert.der().clone(), - intermediate_b_c_cert.der().clone(), + intermediate_a.der().clone(), + intermediate_c.der().clone(), + intermediate_b_a.der().clone(), + intermediate_b_c.der().clone(), ]; // Create an end entity certificate signed by the keypair of the intermediates created above. - let ee = make_end_entity(&intermediate_b); + let ee = make_end_entity(&intermediate_b_a, &intermediate_b_key); let ee_cert = &EndEntityCert::try_from(ee.cert.der()).unwrap(); // We should be able to create a valid path from EE to trust anchor. @@ -1109,8 +1131,6 @@ // We expect that without applying any additional constraints, that the path will be // EE -> intermediate_b_a -> intermediate_a -> trust_anchor. - let intermediate_a_cert = - Cert::from_der(untrusted::Input::from(intermediate_a.1.der())).unwrap(); assert_eq!(path_intermediates.len(), 2); assert_eq!( path_intermediates[0].issuer(), @@ -1143,8 +1163,6 @@ // We expect that the path will now be // EE -> intermediate_b_c -> intermediate_c -> trust_anchor. - let intermediate_c_cert = - Cert::from_der(untrusted::Input::from(intermediate_c.1.der())).unwrap(); assert_eq!(path_intermediates.len(), 2); assert_eq!( path_intermediates[0].issuer(), @@ -1153,31 +1171,24 @@ assert_eq!(path_intermediates[1].issuer(), trust_anchor_cert.subject()); } - fn make_intermediate( - org_name: impl Into, - issuer: &Issuer<'_, impl SigningKey>, - ) -> (Issuer<'static, KeyPair>, Certificate) { - let params = issuer_params(org_name); - let key = KeyPair::generate_for(test_utils::RCGEN_SIGNATURE_ALG).unwrap(); - let cert = params.signed_by(&key, issuer).unwrap(); - (Issuer::new(params, key), cert) - } - fn build_and_verify_degenerate_chain( intermediate_count: usize, trust_anchor: ChainTrustAnchor, ) -> ControlFlow { let ca_cert = make_issuer("Bogus Subject"); - let mut intermediate_chain = build_linear_chain(&ca_cert.0, intermediate_count, true); + let mut intermediate_chain = build_linear_chain(&ca_cert, intermediate_count, true); let verify_trust_anchor = match trust_anchor { ChainTrustAnchor::InChain => make_issuer("Bogus Trust Anchor"), ChainTrustAnchor::NotInChain => ca_cert, }; - let ee_cert = make_end_entity(&intermediate_chain.last_issuer); + let ee_cert = make_end_entity( + &intermediate_chain.last_issuer.cert, + &intermediate_chain.last_issuer.key_pair, + ); let ee_cert = EndEntityCert::try_from(ee_cert.cert.der()).unwrap(); - let trust_anchor_der: CertificateDer<'_> = verify_trust_anchor.1.into(); + let trust_anchor_der: CertificateDer<'_> = verify_trust_anchor.cert.into(); let webpki_ta = anchor_from_trusted_cert(&trust_anchor_der).unwrap(); if matches!(trust_anchor, ChainTrustAnchor::InChain) { // Note: we clone the trust anchor DER here because we can't move it into the chain @@ -1204,13 +1215,16 @@ fn build_and_verify_linear_chain(chain_length: usize) -> Result<(), ControlFlow> { let ca_cert = make_issuer(format!("Bogus Subject {chain_length}")); - let intermediate_chain = build_linear_chain(&ca_cert.0, chain_length, false); + let intermediate_chain = build_linear_chain(&ca_cert, chain_length, false); - let ca_cert_der: CertificateDer<'_> = ca_cert.1.into(); + let ca_cert_der: CertificateDer<'_> = ca_cert.cert.into(); let anchor = anchor_from_trusted_cert(&ca_cert_der).unwrap(); let anchors = &[anchor.clone()]; - let ee_cert = make_end_entity(&intermediate_chain.last_issuer); + let ee_cert = make_end_entity( + &intermediate_chain.last_issuer.cert, + &intermediate_chain.last_issuer.key_pair, + ); let ee_cert = EndEntityCert::try_from(ee_cert.cert.der()).unwrap(); let expected_chain = |path: &VerifiedPath<'_>| { @@ -1255,7 +1269,7 @@ } fn build_linear_chain( - ca_cert: &Issuer<'_, KeyPair>, + ca_cert: &CertifiedKey, chain_length: usize, all_same_subject: bool, ) -> IntermediateChain { @@ -1274,10 +1288,12 @@ }); let key_pair = KeyPair::generate_for(test_utils::RCGEN_SIGNATURE_ALG).unwrap(); - let cert = intermediate.signed_by(&key_pair, issuer).unwrap(); + let cert = intermediate + .signed_by(&key_pair, &issuer.cert, &issuer.key_pair) + .unwrap(); chain.push(cert.der().clone()); - prev = Some(Issuer::new(intermediate, key_pair)); + prev = Some(CertifiedKey { cert, key_pair }); } IntermediateChain { @@ -1287,7 +1303,7 @@ } struct IntermediateChain { - last_issuer: Issuer<'static, KeyPair>, + last_issuer: CertifiedKey, chain: Vec>, } --- a/tests/client_auth.rs +++ b/tests/client_auth.rs @@ -99,7 +99,7 @@ ekus: Vec, name: &str, ) -> Result<(Certificate, Certificate), Box> { - let (issuer, issuer_cert) = make_issuer(name)?; - let end_entity = make_end_entity(ekus, name, &issuer)?; - Ok((end_entity.cert, issuer_cert)) + let issuer = make_issuer(name)?; + let end_entity = make_end_entity(ekus, name, &issuer.cert, &issuer.key_pair)?; + Ok((end_entity.cert, issuer.cert)) } --- a/tests/common/mod.rs +++ b/tests/common/mod.rs @@ -2,30 +2,30 @@ use rcgen::{ Certificate, CertificateParams, CertifiedKey, DnType, DnValue, ExtendedKeyUsagePurpose, IsCa, - Issuer, KeyPair, KeyUsagePurpose, SignatureAlgorithm, SigningKey, + KeyPair, KeyUsagePurpose, SignatureAlgorithm, }; #[cfg_attr(not(feature = "ring"), allow(dead_code))] pub fn make_end_entity( ekus: Vec, org_name: impl Into, - issuer: &Issuer<'_, impl SigningKey>, -) -> Result, Box> { - let signing_key = KeyPair::generate_for(RCGEN_SIGNATURE_ALG)?; + issuer: &Certificate, + issuer_key: &KeyPair, +) -> Result> { + let key_pair = KeyPair::generate_for(RCGEN_SIGNATURE_ALG)?; Ok(CertifiedKey { cert: end_entity_params(vec!["example.com".into()], org_name, ekus)? - .signed_by(&signing_key, issuer)?, - signing_key, + .signed_by(&key_pair, issuer, issuer_key)?, + key_pair, }) } -pub fn make_issuer( - org_name: impl Into, -) -> Result<(Issuer<'static, KeyPair>, Certificate), Box> { - let params = issuer_params(org_name)?; - let signing_key = KeyPair::generate_for(RCGEN_SIGNATURE_ALG)?; - let cert = params.self_signed(&signing_key)?; - Ok((Issuer::new(params, signing_key), cert)) +pub fn make_issuer(org_name: impl Into) -> Result> { + let key_pair = KeyPair::generate_for(RCGEN_SIGNATURE_ALG)?; + Ok(CertifiedKey { + cert: issuer_params(org_name)?.self_signed(&key_pair)?, + key_pair, + }) } /// Populate a [CertificateParams] that describes an unconstrained issuer certificate.