1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
|
Description: use older branch of crate rustls-webpki
Author: Jonas Smedegaard <dr@jones.dk>
Forwarded: not-needed
Last-Update: 2025-03-23
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -77,7 +77,7 @@
time = { version = "0.3.6", default-features = false }
tikv-jemallocator = "0.6"
tokio = { version = "1.34", features = ["io-util", "macros", "net", "rt"] }
-webpki = { package = "rustls-webpki", version = "0.103", features = ["alloc"], default-features = false }
+webpki = { package = "rustls-webpki", version = "0.102.8", features = ["alloc"], default-features = false }
rustls-native-certs = "0.6"
x25519-dalek = "2"
x509-parser = "0.17"
--- a/rustls/src/webpki/mod.rs
+++ b/rustls/src/webpki/mod.rs
@@ -2,7 +2,7 @@
use core::fmt;
use pki_types::CertificateRevocationListDer;
-use webpki::{CertRevocationList, InvalidNameContext, OwnedCertRevocationList};
+use webpki::{CertRevocationList, OwnedCertRevocationList};
use crate::error::{CertRevocationListError, CertificateError, Error, OtherError};
#[cfg(feature = "std")]
@@ -58,27 +58,13 @@
use webpki::Error::*;
match error {
BadDer | BadDerTime | TrailingData(_) => CertificateError::BadEncoding.into(),
- CertNotValidYet { time, not_before } => {
- CertificateError::NotValidYetContext { time, not_before }.into()
- }
- CertExpired { time, not_after } => {
- CertificateError::ExpiredContext { time, not_after }.into()
- }
- InvalidCertValidity => CertificateError::Expired.into(),
+ CertNotValidYet => CertificateError::NotValidYet.into(),
+ CertExpired | InvalidCertValidity => CertificateError::Expired.into(),
UnknownIssuer => CertificateError::UnknownIssuer.into(),
- CertNotValidForName(InvalidNameContext {
- expected,
- presented,
- }) => CertificateError::NotValidForNameContext {
- expected,
- presented,
- }
- .into(),
+ CertNotValidForName => CertificateError::NotValidForName.into(),
CertRevoked => CertificateError::Revoked.into(),
UnknownRevocationStatus => CertificateError::UnknownRevocationStatus.into(),
- CrlExpired { time, next_update } => {
- CertificateError::ExpiredRevocationListContext { time, next_update }.into()
- }
+ CrlExpired => CertificateError::ExpiredRevocationList.into(),
IssuerNotCrlSigner => CertRevocationListError::IssuerInvalidForCrl.into(),
InvalidSignatureForPublicKey
@@ -205,7 +191,7 @@
),
];
for t in testcases {
- assert_eq!(crl_error(t.0.clone()), t.1);
+ assert_eq!(crl_error(t.0), t.1);
}
assert!(matches!(
--- a/rustls/tests/api.rs
+++ b/rustls/tests/api.rs
@@ -1677,7 +1677,7 @@
assert_eq!(
err,
Err(ErrorFromPeer::Client(Error::InvalidCertificate(
- certificate_error_expecting_name("not-the-right-hostname.com")
+ CertificateError::NotValidForName
)))
);
}
@@ -1712,7 +1712,7 @@
assert_eq!(
check_server_name(client_config.clone(), server_config.clone(), "198.51.100.2"),
Err(ErrorFromPeer::Client(Error::InvalidCertificate(
- certificate_error_expecting_name("198.51.100.2")
+ CertificateError::NotValidForName
)))
);
@@ -1726,7 +1726,7 @@
assert_eq!(
check_server_name(client_config.clone(), server_config.clone(), "2001:db8::2"),
Err(ErrorFromPeer::Client(Error::InvalidCertificate(
- certificate_error_expecting_name("2001:db8::2")
+ CertificateError::NotValidForName
)))
);
}
@@ -1888,12 +1888,12 @@
// We expect the handshake to fail since the CRL is expired.
let err = do_handshake_until_error(&mut client, &mut server);
- assert!(matches!(
+ assert_eq!(
err,
Err(ErrorFromPeer::Client(Error::InvalidCertificate(
- CertificateError::ExpiredRevocationListContext { .. }
+ CertificateError::ExpiredRevocationList
)))
- ));
+ );
let client_config =
make_client_config_with_verifier(&[version], ignore_expiration_builder.clone());
@@ -3470,9 +3470,7 @@
)
);
assert_eq!(
- Err(Error::InvalidCertificate(certificate_error_expecting_name(
- "not-localhost"
- ))),
+ Err(Error::InvalidCertificate(CertificateError::NotValidForName)),
resolver.add(
"not-localhost",
sign::CertifiedKey::new(kt.get_chain(), signing_key.clone())
|
